oscerd opened a new pull request, #1687: URL: https://github.com/apache/camel-website/pull/1687
Adds the security advisory page for **CVE-2026-43866** — a bypass of the [CVE-2026-40860](https://camel.apache.org/security/CVE-2026-40860.html) JMS `ObjectMessage` deserialization class-filter. A forged `org.apache.camel.support.DefaultExchangeHolder` carried inside a JMS `ObjectMessage` sits inside the trusted `org.apache.camel.**` allow-list, so it passes the `checkDeserializedClass()` check added by CVE-2026-40860. The receiving side then unmarshals it into the Exchange without requiring the `transferExchange` option — an asymmetric trust boundary — letting anyone able to publish an `ObjectMessage` to a consumed queue or topic inject the message body, headers, exchange properties, variables and exception, using only universally-trusted `java.lang`/`java.util` types (no deserialization gadget chain required). **Details** - Severity: **HIGH** - Reporter: gaorenyusi - Affected components: `camel-jms`, `camel-sjms`, `camel-sjms2`, `camel-amqp`, `camel-activemq`, `camel-activemq6` - Fixed in: **4.14.8, 4.18.3, 4.21.0** — via [CAMEL-23373](https://issues.apache.org/jira/browse/CAMEL-23373) (camel-jms) and [CAMEL-23409](https://issues.apache.org/jira/browse/CAMEL-23409) (camel-sjms), which disable JMS `ObjectMessage` handling by default (new `objectMessageEnabled` option, default `false`) - CWE-502 (Deserialization of Untrusted Data), CWE-20 (Improper Input Validation) **Files** - `content/security/CVE-2026-43866.md` — Hugo advisory source - `content/security/CVE-2026-43866.txt.asc` — clearsigned plaintext (key `E34E9F3802FF4100`) > ⚠️ **Hold merge until Apache Camel 4.14.8 / 4.18.3 / 4.21.0 are released.** The fixes are already merged, but those versions are not yet cut; the advisory should only go live once the fixed releases are available for users to upgrade to. --- _Advisory drafted by Claude Code on behalf of Andrea Cosentino._ 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
