Skip to content

Add CVE-2026-43866 security advisory for camel-jms/camel-sjms ObjectMessage deserialization bypass#1687

Merged
oscerd merged 1 commit into
apache:mainfrom
oscerd:security/CVE-2026-43866
Jul 5, 2026
Merged

Add CVE-2026-43866 security advisory for camel-jms/camel-sjms ObjectMessage deserialization bypass#1687
oscerd merged 1 commit into
apache:mainfrom
oscerd:security/CVE-2026-43866

Conversation

@oscerd

@oscerd oscerd commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Adds the security advisory page for CVE-2026-43866 — a bypass of the CVE-2026-40860 JMS ObjectMessage deserialization class-filter.

A forged org.apache.camel.support.DefaultExchangeHolder carried inside a JMS ObjectMessage sits inside the trusted org.apache.camel.** allow-list, so it passes the checkDeserializedClass() check added by CVE-2026-40860. The receiving side then unmarshals it into the Exchange without requiring the transferExchange option — an asymmetric trust boundary — letting anyone able to publish an ObjectMessage to a consumed queue or topic inject the message body, headers, exchange properties, variables and exception, using only universally-trusted java.lang/java.util types (no deserialization gadget chain required).

Details

  • Severity: HIGH
  • Reporter: gaorenyusi
  • Affected components: camel-jms, camel-sjms, camel-sjms2, camel-amqp, camel-activemq, camel-activemq6
  • Fixed in: 4.14.8, 4.18.3, 4.21.0 — via CAMEL-23373 (camel-jms) and CAMEL-23409 (camel-sjms), which disable JMS ObjectMessage handling by default (new objectMessageEnabled option, default false)
  • CWE-502 (Deserialization of Untrusted Data), CWE-20 (Improper Input Validation)

Files

  • content/security/CVE-2026-43866.md — Hugo advisory source
  • content/security/CVE-2026-43866.txt.asc — clearsigned plaintext (key E34E9F3802FF4100)

⚠️ Hold merge until Apache Camel 4.14.8 / 4.18.3 / 4.21.0 are released. The fixes are already merged, but those versions are not yet cut; the advisory should only go live once the fixed releases are available for users to upgrade to.


Advisory drafted by Claude Code on behalf of Andrea Cosentino.

🤖 Generated with Claude Code

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd oscerd merged commit d52ccb2 into apache:main Jul 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant