What this actually is.
Technical background, root cause, and affected surface.
MinaConverter.toObjectInput(IoBuffer) in camel-mina wraps a raw network IoBuffer in java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java gadget chain over the network can achieve arbitrary code execution.
- Vendor
- Apache
- Product
- Apache Camel
- Severity
- High
- CVSS Score
- 8.8
- Status
- Published
- CWE
- CWE-502: Deserialization of Untrusted Data
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
MinaConverter.java: toObjectInput(IoBuffer buf) { return new ObjectInputStream(buf.asInputStream()); } // No ObjectInputFilter applied
Root cause: ObjectInputStream instantiated without ObjectInputFilter in MinaConverter type conversion; any consumer using ObjectInput conversion is vulnerable
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated attacker connects to a Camel route using camel-mina as TCP or UDP consumer with ObjectInput body type conversion and sends a crafted serialized Java gadget chain payload
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Arbitrary code execution on the Camel application host; potential full system compromise
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Apache Camel 4.14.7, 4.18.2, or 4.20.0 which apply ObjectInputFilter in MinaConverter. Avoid ObjectInput body type conversion in camel-mina routes. Restrict network access to Mina endpoints.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-04-27: CVE published | 2026-04-26: Fix released in Camel 4.14.7, 4.18.2, 4.20.0
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.