- Issued:
- 2026-05-14
- Updated:
- 2026-05-14
RHSA-2026:17668 - Security Advisory
Synopsis
Critical: Red Hat Build of Apache Camel 4.18.1 for Spring Boot release.
Type/Severity
Security Advisory: Critical
Topic
Red Hat build of Apache Camel 4.18.1 for Spring Boot patch release and security update is now available.
Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.
Description
Red Hat build of Apache Camel 4.18.1 for Spring Boot patch release and security update is now available.
The purpose of this text-only errata is to inform you about the security issues fixed.
Security Fix(es):
- artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication (CVE-2026-27446)
- spring-boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path (CVE-2026-22731)
- plexus-utils: Plexus-utils: Directory Traversal in extractFile method (CVE-2025-67030)
- netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values (CVE-2026-33870)
- netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)
- netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)
- jetty-ee10-annotations: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)
- jetty-ee10-apache-jsp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)
- jetty-ee10-plus: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)
- jetty-ee10-servlet: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)
- jetty-ee10-servlets: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)
- jetty-ee10-webapp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)
- kafka-clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management (CVE-2026-35554)
- camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization (CVE-2026-6857)
- bcprov-debug-jdk15on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)
- bcprov-jdk15on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)
- bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)
- bcprov-lts8on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)
- bcpkix-jdk15on: PKIX draft CompositeVerifier accepts empty signature sequence as valid (CVE-2026-5588)
- bcpkix-jdk18on: PKIX draft CompositeVerifier accepts empty signature sequence as valid (CVE-2026-5588)
- bcpg-jdk18on: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion (CVE-2026-3505)
- bcprov-debug-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)
- bcprov-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)
- bcprov-jdk18on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)
- bcprov-lts8on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)
- spring-boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. (CVE-2026-40975)
- camel-mail: Camel-Mail: Altered application behavior via header injection (CVE-2026-33454)
- camel-jms: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)
- camel-google-pubsub: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)
- camel-http: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)
- camel-http-base: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)
- camel-http-common: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)
- camel-http-starter: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)
- camel-jms: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage (CVE-2026-40860)
- camel-amqp: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage (CVE-2026-40860)
- camel-http-base: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)
- camel-http-common: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)
- camel-http: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)
- camel-http-starter: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)
- camel-infinispan-common: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data (CVE-2026-40858)
- camel-infinispan-embedded: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data (CVE-2026-40858)
- camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data (CVE-2026-40858)
- mina-core: Apache MINA: Arbitrary code execution via classname allowlist bypass (CVE-2026-41635)
- spring-boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison (CVE-2026-40972)
- camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection (CVE-2026-33453)
- jetty-http: HTTP request smuggling via chunked extension quoted-string parsing (CVE-2026-2332)
- spring-boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory (CVE-2026-40973)
Solution
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
For details on how to apply this update, refer to:
Affected Products
- Red Hat Integration - Camel for Spring Boot 1 x86_64
Fixes
- BZ - 2444320 - CVE-2026-27446 org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication
- BZ - 2449290 - CVE-2026-22731 Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path
- BZ - 2451409 - CVE-2025-67030 org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method
- BZ - 2452453 - CVE-2026-33870 io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values
- BZ - 2452456 - CVE-2026-33871 netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood
- BZ - 2455916 - CVE-2026-35554 Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management
- BZ - 2456519 - CVE-2026-5795 org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables
- BZ - 2458187 - CVE-2026-2332 org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing
- BZ - 2458634 - CVE-2026-5588 bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid
- BZ - 2458638 - CVE-2026-3505 bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion
- BZ - 2458640 - CVE-2025-14813 bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly
- BZ - 2458641 - CVE-2026-0636 bouncycastle: BC-JAVA: LDAP injection vulnerability in LDAPStoreHelper.java
- BZ - 2460003 - CVE-2026-6857 camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization
- BZ - 2463172 - CVE-2026-40860 Apache Camel: camel-jms: camel-sjms: camel-sjms2: camel-amqp: camel-activemq: camel-activemq6: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage
- BZ - 2463173 - CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
- BZ - 2463177 - CVE-2026-41635 Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass
- BZ - 2463178 - CVE-2026-40022 camel-http: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers
- BZ - 2463179 - CVE-2026-40858 org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data
- BZ - 2463181 - CVE-2026-33454 Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection
- BZ - 2463184 - CVE-2026-33453 Apache Camel: camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection
- BZ - 2463330 - CVE-2026-40973 Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory
- BZ - 2463332 - CVE-2026-40972 Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison
CVEs
- CVE-2025-14813
- CVE-2025-67030
- CVE-2026-0636
- CVE-2026-2332
- CVE-2026-3505
- CVE-2026-5588
- CVE-2026-5795
- CVE-2026-6857
- CVE-2026-22731
- CVE-2026-27446
- CVE-2026-33453
- CVE-2026-33454
- CVE-2026-33870
- CVE-2026-33871
- CVE-2026-35554
- CVE-2026-40022
- CVE-2026-40453
- CVE-2026-40858
- CVE-2026-40860
- CVE-2026-40972
- CVE-2026-40973
- CVE-2026-40975
- CVE-2026-41635
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
