This is an automated email from the ASF dual-hosted git repository.
oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new d52ccb28 Added CVE-2026-43866 (#1687)
d52ccb28 is described below
commit d52ccb280d889c7674d0467246f548edb2397f8b
Author: Andrea Cosentino <[email protected]>
AuthorDate: Sun Jul 5 16:03:16 2026 +0200
Added CVE-2026-43866 (#1687)
Signed-off-by: Andrea Cosentino <[email protected]>
---
content/security/CVE-2026-43866.md | 17 +++++++++++++++++
content/security/CVE-2026-43866.txt.asc | 31 +++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
diff --git a/content/security/CVE-2026-43866.md
b/content/security/CVE-2026-43866.md
new file mode 100644
index 00000000..f7b7f9b4
--- /dev/null
+++ b/content/security/CVE-2026-43866.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-43866"
+date: 2026-07-05T10:00:00+02:00
+url: /security/CVE-2026-43866.html
+draft: false
+type: security-advisory
+cve: CVE-2026-43866
+severity: HIGH
+summary: "Camel JMS deserialization filter bypass: a forged
DefaultExchangeHolder carried in a JMS ObjectMessage passes the CVE-2026-40860
class check and is unmarshalled into the Exchange, letting an attacker who can
publish an ObjectMessage inject the message body, headers, exchange properties,
variables and exception"
+description: "JmsBinding.extractBodyFromJms() in camel-jms - and the
equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming
JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the
mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer.
The CVE-2026-40860 hardening added a post-deserialization class check that
rejects classes outside the default allow-list
java.**;javax.**;org.apache.camel.**;!*. However org.apache.camel.supp [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes
the issue. If users are on the 4.14.x LTS releases stream, then they are
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream,
then they are suggested to upgrade to 4.18.3. After upgrading, JMS
ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the
JMS-family components (a new objectMessageEnabled option defaults to false at
the component and endpoint level), so an i [...]
+credit: "This issue was discovered by gaorenyusi"
+affected: "From 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-23373
(camel-jms) and https://issues.apache.org/jira/browse/CAMEL-23409 (camel-sjms)
refer to the various commits that resolved the issue, and have more details.
The camel-jms fix was merged on main in
https://github.com/apache/camel/pull/22866 (commit
6cb29c0bbd7d1c46f057eac46c4afa62c9f5e00f) and backported to camel-4.18.x
(commit 844bbf8c894c5e2bfa023579db80dcd3354c0e1b) and camel-4.14.x (commit
75d7991b89265a2e8e62c7207165d [...]
diff --git a/content/security/CVE-2026-43866.txt.asc
b/content/security/CVE-2026-43866.txt.asc
new file mode 100644
index 00000000..61492163
--- /dev/null
+++ b/content/security/CVE-2026-43866.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-43866"
+date: 2026-07-05T10:00:00+02:00
+url: /security/CVE-2026-43866.html
+draft: false
+type: security-advisory
+cve: CVE-2026-43866
+severity: HIGH
+summary: "Camel JMS deserialization filter bypass: a forged
DefaultExchangeHolder carried in a JMS ObjectMessage passes the CVE-2026-40860
class check and is unmarshalled into the Exchange, letting an attacker who can
publish an ObjectMessage inject the message body, headers, exchange properties,
variables and exception"
+description: "JmsBinding.extractBodyFromJms() in camel-jms - and the
equivalent JmsBinding in camel-sjms - deserializes the payload of an incoming
JMS ObjectMessage via jakarta.jms.ObjectMessage.getObject() whenever the
mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer.
The CVE-2026-40860 hardening added a post-deserialization class check that
rejects classes outside the default allow-list
java.**;javax.**;org.apache.camel.**;!*. However org.apache.camel.supp [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes
the issue. If users are on the 4.14.x LTS releases stream, then they are
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream,
then they are suggested to upgrade to 4.18.3. After upgrading, JMS
ObjectMessage handling is disabled by default in camel-jms, camel-sjms and the
JMS-family components (a new objectMessageEnabled option defaults to false at
the component and endpoint level), so an i [...]
+credit: "This issue was discovered by gaorenyusi"
+affected: "From 3.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA tickets: https://issues.apache.org/jira/browse/CAMEL-23373
(camel-jms) and https://issues.apache.org/jira/browse/CAMEL-23409 (camel-sjms)
refer to the various commits that resolved the issue, and have more details.
The camel-jms fix was merged on main in
https://github.com/apache/camel/pull/22866 (commit
6cb29c0bbd7d1c46f057eac46c4afa62c9f5e00f) and backported to camel-4.18.x
(commit 844bbf8c894c5e2bfa023579db80dcd3354c0e1b) and camel-4.14.x (commit
75d7991b89265a2e8e62c7207165d [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmpKV6QACgkQ406fOAL/
+QQCE/gf/dBklKhHpK3THpOHwBLf+U8rUmDKfMukNKNu0NwLjoCTkSq+JZcJKrK+1
+tM7xUgccn1Uu6JkSgI08tZmBxMoxwE54mg6FqXIO/Q64l7c2t/Xh9oIZ4+vHnuZg
+LYRINlSPoneE6nWM23mE+WTLqvYfQy6d6gREsixqmVi/aVljSP5gnMbDr+pZX0Vh
++20VB2xpDet7X5jIF0a55bUEv4YxT+XL5q0bd8wQ4+Dbxq/M2FVmA1n/1nJz7e6/
+Be8TnrQok2GvUcSVkaYiXf+WI0Urmy4WhaUUBQu2OZVbsg/RcIx4E5iqgJK83OVq
+iTy2AEqX11MIftQqMvZlhEUOkDVrog==
+=lt55
+-----END PGP SIGNATURE-----