CVE-2026-40473

A flaw was found in the camel-mina component of Apache Camel. This vulnerability allows a remote attacker to achieve arbitrary code execution by sending a specially crafted serialized Java object over the network to the MINA consumer port. The MinaConverter.toObjectInput type converter, used when...

org.apache.camel.kafkaconnector:camel-mina-kafka-connector (>=0.1.0 <=0.11.5), org.apache.camel.karaf:camel-mina (>=4.10.3 <=4.14.5) +5 more potentially affected by CVE-2026-40473 via org.apache.camel:camel-mina (>=3.0.0-RC1 <=4.14.5)

org.apache.camel:camel-mina MAVEN version =3.0.0-RC1, =0.1.0, =4.10.3, =3.0.0, =3.0.0-RC1, =4.0-20200713, =4.0-20200713, =4.0-20200713, =4.3.2 Source cves: CVE-2026-40473 Source advisory: SNYK:JAVA-ORGAPACHECAMEL-16321635...

org.apache.camel.kafkaconnector:camel-mina-kafka-connector (>=0.1.0 <=0.11.5), org.apache.camel.karaf:camel-mina (>=4.10.3 <=4.14.5) +4 more potentially affected by CVE-2026-40473 via org.apache.camel:camel-mina (>=3.0.0 <=4.14.5)

org.apache.camel:camel-mina MAVEN version =3.0.0, =0.1.0, =4.10.3, =3.0.0, =4.0-20200713, =4.0-20200713, =4.0-20200713, =4.3.2 Source cves: CVE-2026-40473 Source advisory: OSV:GHSA-VPR3-2659-RW55...

CVE-2026-40473

The camel-mina component's MinaConverter.toObjectInputIoBuffer type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput f...