Remote Code Execution via Unsafe Deserialization in Camel-Infinispan ProtoStream
CVE-2026-6857 Published on April 22, 2026

Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization
A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.

NVD

Vulnerability Analysis

CVE-2026-6857 can be exploited with network access, and requires small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is a Marshaling, Unmarshaling Vulnerability?

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVE-2026-6857 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.


Products Associated with CVE-2026-6857

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

Red Hat Camel Quarkus
 
Red Hat Camel Spring Boot
 
Red Hat Jboss Fuse
 
Red Hat Jboss Enterprise Application Platform
 
Red Hat Jbosseapxp
 

Affected Versions

Red Hat build of Apache Camel 4 for Quarkus 3: Red Hat build of Apache Camel for Spring Boot 4: Red Hat Fuse 7: Red Hat JBoss Enterprise Application Platform 8: Red Hat JBoss Enterprise Application Platform Expansion Pack: