CVE-2026-42527

HIGHPre-NVD 8.1Trending — 4 sources updated this week
8.1
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 8.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Deserialization of Untrusted Data vulnerability in Apache Camel.

The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.;javax.;org.apache.camel.;!*', or the no-'javax.' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository). This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.;java.;javax.;org.apache.camel.;!*' (or '!java.net.;java.;org.apache.camel.;!*' for the aggregation-repository components, which do not include javax.).

CVSS v3
8.1
EG Score
0.0(none)
EPSS
23.0%
KEV
Not listed

Published

July 6, 2026

Last Modified

July 6, 2026

Advisory Details (2)

Auto-updated Jul 6, 2026
No patch confirmed yet.
generic

oss-security - CVE-2026-42527: Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure

http://www.openwall.com/lists/oss-security/2026/07/05/4
generic

Apache Camel Security Advisory - CVE-2026-42527 - Apache Camel

https://camel.apache.org/security/CVE-2026-42527.html

Vendor Advisories for CVE-2026-42527(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 8× in last 7d / 8× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-06 19:06 UTCMITRE cvelistV5CVSS v3 → 8.1 · severity → HIGH
  2. 2026-07-06 16:27 UTCEPSS rescore
  3. 2026-07-06 16:27 UTCEPSS rescore
  4. 2026-07-06 11:43 UTCNVD update
  5. 2026-07-06 10:21 UTCMITRE cvelistV5
  6. 2026-07-06 09:42 UTCNVD update
  7. 2026-07-06 08:52 UTCEG score recompute
  8. 2026-07-06 08:51 UTCMITRE cvelistV5first tracked

Frequently asked(5)

What is CVE-2026-42527?
CVE-2026-42527 is a high vulnerability published on July 6, 2026. Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.;javax.;org.apache.camel.;!', or the no-'javax.' variant in the aggregation-repository…
When was CVE-2026-42527 disclosed?
CVE-2026-42527 was first published in the National Vulnerability Database on July 6, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-42527 actively exploited?
CVE-2026-42527 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 23.0% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-42527?
CVE-2026-42527 has a CVSS v3.1 base score of 8.1 (CISA-ADP / Vulnrichment enrichment; NVD's own analysis pending). EchelonGraph synthesises NVD + CISA KEV + FIRST EPSS + GHSA into a combined EG score of 0.0.
How do I remediate CVE-2026-42527?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-42527, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-42527

Explore →

Is Your Infrastructure Affected by CVE-2026-42527?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.