CVE-2026-40859 camel vulnerability
Deserialization of Untrusted Data vulnerability in Apache Camel. The camel-vertx-http component deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java.io.ObjectInputStream, without applying any ObjectInputFilter (VertxHttpHelper.deserializeJavaObjectFromStream) This deserialization path is reached only when the producer endpoint is configured with transferException=true (or the component-level allowJavaSerializedObject=true) and throwExceptionOnFailure is left at its default value of true; in that case a backend HTTP response with a 5xx status and the application/x-java-serialized-object content type has its body deserialized with no class restrictions. An attacker who controls the backend the Camel producer talks to - through a man-in-the-middle position on an unencrypted (plain HTTP) connection, or by compromising the backend service - can return a crafted serialized Java object and, if a suitable gadget chain is present on the classpath, achieve remote code execution on the Camel application host. The path is not reachable in the default configuration, where transferException is false. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the deserialization performed by both helper utilities is constrained by a default ObjectInputFilter (allow-list java.**;javax.**;org.apache.camel.**;!*), which can be customised through the new deserializationFilter endpoint option or the JVM-wide -Djdk.serialFilter system property. For deployments that cannot upgrade immediately: do not enable transferException=true (or allowJavaSerializedObject=true) on producers that talk to untrusted or network-reachable backends; ensure producer connections use TLS (https) so that a response cannot be substituted by a man-in-the-middle; and, where the option is required, set an explicit -Djdk.serialFilter allow-list (for example java.**;org.apache.camel.**;!*) to constrain deserialization.
Quick answer
apache camel should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- 4.19.0
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
CVE-2026-40859 affects Apache Camel deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java. Upgrade Apache Camel on the deployed branch to 4.14.8, 4.18.3 and review any route that exposes this component to user-controlled messages, headers, files, or backend responses. Affected ranges in the local record are 4.0.0 through before 4.14.8; 4.15.0 through before 4.18.3.
- Inventory every service, route, integration runtime, container image, and dependency lockfile that includes Apache Camel deserializes HTTP response bodies carrying the Content-Type application/x-java-serialized-object using a raw java or related Camel modules.
- Compare deployed Camel versions with the affected ranges for CVE-2026-40859; prioritize internet-facing routes, message brokers, file parsers, and integrations that process untrusted input.
- Upgrade to 4.14.8, 4.18.3, or to a later vendor-supported Camel release on the same branch.
- Rebuild application artifacts and container images from a clean dependency lockfile so vulnerable Camel modules are removed from direct and transitive dependencies.
- Harden route boundaries by filtering user-controlled Camel headers, component control headers, serialized objects, command arguments, paths, and backend response bodies before they reach Camel internals.
- Rotate credentials, tokens, queue secrets, and integration keys if the affected route could expose data, redirect backend requests, deserialize attacker-controlled objects, or execute unintended operations.
- Deploy first to staging, run regression tests for the impacted route, then promote to production with monitoring for route errors, deserialization events, SSRF indicators, unexpected command arguments, and authorization failures.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm dependency output shows Apache Camel 4.14.8, 4.18.3 or a later fixed release in every affected application.
- Replay malicious or unexpected headers, serialized payloads, paths, files, command arguments, and backend responses against the affected route and verify they are rejected or sanitized.
- Check application logs after deployment for exceptions, leaked stack traces, SSRF attempts, command execution anomalies, unauthorized backend operations, or unexpected route destinations.
- Open the generated Fixnx page and confirm the canonical URL ends with camel-cve-2026-40859.
- Re-run sitemap validation and confirm camel-cve-2026-40859 appears once in sitemap.xml with the full CVE-2026-40859 suffix.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-40859?
apache camel versions listed as affected should be reviewed: 4.19.0.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
How are Fixnx security risk categories chosen?
Fixnx keeps one canonical risk page and assigns only broad, relevant categories such as ecosystem, technology area, or vulnerability class.
