Apache Camel-Consul component vulnerable to Deserialization of Untrusted Data

The ConsulRegistry in the camel-consul component class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject without configuring an ObjectInputFilte...

org.apache.camel.kafkaconnector:camel-consul-kafka-connector (>=0.1.0 <=0.11.5), org.apache.camel.karaf:camel-consul (>=4.10.3 <=4.14.5) +7 more potentially affected by CVE-2026-27172 via org.apache.camel:camel-consul (>=3.0.0 <=4.14.5)

org.apache.camel:camel-consul MAVEN version =3.0.0, =0.1.0, =4.10.3, =4.10.3, =1.0.0, =1.0.0, =1.0.0, =4.10.0, =3.0.0, =4.14.5 - org.wildfly.camel:wildfly-camel-itests-standalone-docker =12.0.0 Source cves: CVE-2026-27172 Source advisory: OSV:GHSA-5RC6-9QFP-8VWG...

org.apache.camel.kafkaconnector:camel-consul-kafka-connector (>=0.1.0 <=0.11.5), org.apache.camel.karaf:camel-consul (>=4.10.3 <=4.14.5) +8 more potentially affected by CVE-2026-27172 via org.apache.camel:camel-consul (>=3.0.0-M1 <=4.14.5)

org.apache.camel:camel-consul MAVEN version =3.0.0-M1, =0.1.0, =4.10.3, =4.10.3, =1.0.0, =1.0.0, =1.0.0, =4.10.0, =3.0.0, =3.0.0-M1, =3.0.0-RC3 - org.wildfly.camel:wildfly-camel-itests-standalone-docker =12.0.0 Source cves: CVE-2026-27172 Source advisory: SNYK:JAVA-ORGAPACHECAMEL-16321641...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the ConsulRegistryUtils.deserialize method which fails to without apply an ObjectInputFilter. An attacker can execute arbitrary code by injecting a malicious serialized Java object into the Consul K...

CVE-2026-27172 Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store

The ConsulRegistry in the camel-consul component class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject without configuring an ObjectInputFilte...

CVE-2026-27172 Apache Camel: Unsafe Java deserialization in camel-consul ConsulRegistry allows arbitrary code execution via malicious values read from the Consul KV store

The ConsulRegistry in the camel-consul component class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject without configuring an ObjectInputFilte...