SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2026-40473
    ▲ HighCVSS 8.8EPSS 0.00926%

    Camel-Mina: Unsafe Deserialization in MinaConverter.toObjectInput() via TCP/UDP

    The camel-mina component's MinaConverter.toObjectInput() wraps an IoBuffer in java.io.ObjectInputStream without ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer with ObjectInput body conversion, an authenticated remote attacker sending a crafted serialized payload can achieve arbitrary code execution.

    CVE IDCVE-2026-40473
    CVSS v3.18.8 High
    VendorApache
    CWECWE-502: Deserialization of Untrusted Data
    DisclosedApr 27, 2026
    StatusPublished
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Vulnerable Code
    • 04Trigger Conditions
    • 05Impact
    • 06Remediation
    • 07Timeline
    • 08References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    MinaConverter.toObjectInput(IoBuffer) in camel-mina wraps a raw network IoBuffer in java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java gadget chain over the network can achieve arbitrary code execution.

    Vendor
    Apache
    Product
    Apache Camel
    Severity
    High
    CVSS Score
    8.8
    Status
    Published
    CWE
    CWE-502: Deserialization of Untrusted Data
    Vector
    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    8.8CVSS 3.1
    VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    ScopeUnchanged
    ImpactC:H / I:H / A:H
    SeverityHigh
    PoC · Exploitation Steps▲ trigger
    01No public PoC available
    03/Vulnerable Code

    The bug, and the fix.

    MinaConverter.java: toObjectInput(IoBuffer buf) { return new ObjectInputStream(buf.asInputStream()); } // No ObjectInputFilter applied

    Root cause: ObjectInputStream instantiated without ObjectInputFilter in MinaConverter type conversion; any consumer using ObjectInput conversion is vulnerable

    04/Trigger Conditions

    When does this fire?

    All conditions must be true for the exploit to succeed.

    Authenticated attacker connects to a Camel route using camel-mina as TCP or UDP consumer with ObjectInput body type conversion and sends a crafted serialized Java gadget chain payload

    05/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    Arbitrary code execution on the Camel application host; potential full system compromise

    06/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Upgrade to Apache Camel 4.14.7, 4.18.2, or 4.20.0 which apply ObjectInputFilter in MinaConverter. Avoid ObjectInput body type conversion in camel-mina routes. Restrict network access to Mina endpoints.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2026-40473, contact disclose@securin.io
    07/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Vendor notified

    2026-04-27: CVE published | 2026-04-26: Fix released in Camel 4.14.7, 4.18.2, 4.20.0

    Timeline recorded · Disclosure coordinated by Securin

    08/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2026-40473

    nvd.nist.gov/vuln/detail/CVE-2026-40473 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →
    APACHE

    https://camel.apache.org/security/CVE-2026-40473.html

    https://camel.apache.org/security/CVE-2026-40473.html →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum