Red Hat Security Advisory: Red Hat Build of Apache Camel 4.18.1 for Spring Boot release.

CVE-2025-14813 — bouncycastle: BC-JAVA: GOSTCTR implementation unable to process more than 255 blocks correctly CVE-2025-67030 — org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method CVE-2026-0636 — bouncycastle: BC-JAVA: LDAP injection vulnerability in LDAPStoreHelper.java CVE-2026-2332 — org.eclipse.jetty/jetty-http: HTTP request smuggling via chunked extension quoted-string parsing CVE-2026-3505 — bouncycastle: BC-JAVA: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion CVE-2026-5588 — bouncycastle: BC-JAVA: PKIX draft CompositeVerifier accepts empty signature sequence as valid CVE-2026-5795 — org.eclipse.jetty.ee10/jetty-ee10: early return from the JASPIAuthenticator class without clearing ThreadLocal variables CVE-2026-6857 — camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization CVE-2026-22731 — Spring Boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path CVE-2026-27446 — org.apache.artemis:artemis-server: org.apache.activemq:artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication CVE-2026-33453 — Apache Camel: camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection CVE-2026-33454 — Apache Camel: Camel-Mail: Camel-Mail: Altered application behavior via header injection CVE-2026-33870 — io.netty/netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values CVE-2026-33871 — netty: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood CVE-2026-35554 — Apache Kafka Clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management CVE-2026-40022 — camel-http: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers CVE-2026-40453 — Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection CVE-2026-40858 — org.apache.camel/camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data CVE-2026-40860 — Apache Camel: camel-jms: camel-sjms: camel-sjms2: camel-amqp: camel-activemq: camel-activemq6: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage CVE-2026-40972 — Spring Boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison CVE-2026-40973 — Spring Boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory CVE-2026-40975 — Spring Boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. CVE-2026-41635 — Apache MINA: Apache MINA: Arbitrary code execution via classname allowlist bypass