{ "threat_severity" : "Important", "public_date" : "2026-04-27T09:38:55Z", "bugzilla" : { "description" : "org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data", "id" : "2463179", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2463179" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-502", "details" : [ "A flaw was found in the camel-infinispan component of Apache Camel. A remote attacker, with the ability to write to the Infinispan cache, can inject a specially crafted serialized Java object. When this object is deserialized during normal aggregation repository operations, it can lead to arbitrary code execution within the application. This vulnerability stems from the component's use of java.io.ObjectInputStream without proper input filtering." ], "affected_release" : [ { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "camel-infinispan" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "camel-infinispan-common" }, { "product_name" : "Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14", "release_date" : "2026-05-14T00:00:00Z", "advisory" : "RHSA-2026:17668", "cpe" : "cpe:/a:redhat:apache_camel_spring_boot:4.18", "package" : "camel-infinispan-embedded" } ], "package_state" : [ { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "camel-infinispan", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat build of Apache Camel 4 for Quarkus 3", "fix_state" : "Affected", "package_name" : "camel-infinispan-common", "cpe" : "cpe:/a:redhat:camel_quarkus:3" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "camel-infinispan", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "camel-infinispan-common", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "camel-infinispan-starter", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "camel-infinispan", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 8", "fix_state" : "Not affected", "package_name" : "camel-infinispan-common", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "camel-infinispan", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "camel-infinispan-common", "cpe" : "cpe:/a:redhat:jbosseapxp" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-40858\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40858\nhttps://camel.apache.org/security/CVE-2026-40858.html" ], "name" : "CVE-2026-40858", "csaw" : false }