CVE-2026-40860

🗓️ 27 Apr 2026 08:03:19Reported by apacheType

Unsafe JMS ObjectMessage deserialization in Apache Camel may allow code execution; upgrade 4.20.0.

Reporter	Title	Published	Views	Family All 22
ATTACKERKB	CVE-2026-40860	27 Apr 202608:03	–	attackerkb
Circl	CVE-2026-40860	26 Apr 202619:27	–	circl
CNNVD	Apache Camel 代码问题漏洞	27 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-40860 Apache Camel: Unsafe Deserialization of JMS ObjectMessage in camel-jms, camel-sjms, camel-sjms2 and camel-amqp	27 Apr 202608:03	–	cvelist
EUVD	EUVD-2026-25794	27 Apr 202608:03	–	euvd
NCSC	Vulnerabilities handled in Apache Camel	29 Apr 202608:12	–	ncsc
NVD	CVE-2026-40860	27 Apr 202609:16	–	nvd
Positive Technologies	PT-2026-35372	27 Apr 202600:00	–	ptsecurity
RedhatCVE	CVE-2026-40860	4 May 202618:03	–	redhatcve
RedHat Linux	Critical: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18.1 for Spring Boot release.	14 May 202616:55	–	redhat

NVD

Vulners

Node

apache camelRange3.0.0–4.14.7

apache camelRange4.15.0–4.18.2

apache camelMatch4.19.0

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.camel:camel-jms",
    "product": "Apache Camel",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.14.7",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.18.2",
        "status": "affected",
        "version": "4.15.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.20.0",
        "status": "affected",
        "version": "4.19.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
camel	www.camel.apache.org/security/CVE-2026-40860.html
openwall	www.openwall.com/lists/oss-security/2026/04/26/10

28 Apr 2026 19:42Current

6.4Medium risk

Vulners AI Score6.4

CVSS 3.19.8

EPSS0.00961

SSVC

CWE-502