Lucene search
K

11 matches found

Github Security Blog
Github Security Blog
added 2026/04/27 12:30 p.m.12 views

Apache Camel Vulnerable to Authentication Bypass Using an Alternate Path or Channel

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server camel-platform-http-main and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and...

8.2CVSS5.8AI score0.00622EPSS
Exploits1References10Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/27 9:40 a.m.4 views

CVE-2026-40022

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server camel-platform-http-main and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and...

5.2AI score0.00622EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/27 9:38 a.m.7 views

CVE-2026-40858 Apache Camel: Camel-Infinispan: Unsafe Deserialization in Remote Aggregation Repository

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a...

6.5AI score0.00711EPSS
Exploits1References1
OSV
OSV
added 2026/04/27 9:34 a.m.9 views

GHSA-JG2M-9X48-3GVJ Apache Camel has an incomplete fix for CVE-2025-27636

The fix for CVE-2025-27636 added setLowerCasetrue to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCasetrue call was not applied to five non-HTTP HeaderFilterStrategy...

9.9CVSS6.5AI score0.0086EPSS
Exploits0References10
OSV
OSV
added 2026/04/27 9:34 a.m.9 views

GHSA-V3VG-332R-MW99 Camel-PQC Vulnerable to Deserialization of Untrusted Data

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

7.8CVSS6.4AI score0.00342EPSS
Exploits0References9
ATTACKERKB
ATTACKERKB
added 2026/04/27 8:3 a.m.4 views

CVE-2026-40860

JmsBinding.extractBodyFromJms in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is...

6.4AI score0.00881EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/04/27 8:3 a.m.30 views

CVE-2026-40860

Apache Camel CVE-2026-40860 describes unsafe deserialization of JMS ObjectMessage payloads in camel-jms, camel-sjms, camel-sjms2 and camel-amqp. The root cause is deserialization via javax.jms.ObjectMessage.getObject() without ObjectInputFilter or allow/deny lists, triggered when mapJmsMessage is...

9.8CVSS6.4AI score0.00881EPSS
Exploits0References7Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/27 7:53 a.m.6 views

CVE-2026-40048 Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

6.3AI score0.00342EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/27 7:53 a.m.31 views

CVE-2026-40048 Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

0.00342EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/27 7:53 a.m.7 views

CVE-2026-40048

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

6.3AI score0.00342EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/04/27 12:0 a.m.17 views

PT-2026-35369

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of .key files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair is evaluated only after readObject has...

6.3AI score0.00342EPSS
Exploits0References3
Rows per page
Query Builder