Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-40860 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-40860 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-40860 is an unsafe deserialization vulnerability in Apache Camel's camel-jms and camel-sjms components, specifically within the JmsBinding class used to process incoming JMS ObjectMessage payloads.

Technical Detail

The flaw exists in the JmsBinding.extractBodyFromJms() method, which calls javax.jms.ObjectMessage.getObject() to deserialize the payload of incoming JMS ObjectMessage values without adequate validation or type restriction. An attacker who can deliver a crafted JMS ObjectMessage to an affected Camel endpoint can supply a malicious serialized Java object, potentially achieving remote code execution on the host running the Camel application. The severity is rated Critical with a CVSS score of 9.8, reflecting the low complexity of exploitation and the potential for full system compromise without requiring authentication.

Exploitation Status

No known exploit has been publicly documented or confirmed as of May 4, 2026. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. While no proof-of-concept code has been identified, the vulnerability class (Java deserialization via JMS ObjectMessage) is well understood by the security community and exploitation techniques for similar flaws are broadly documented, which lowers the barrier for development of working exploits.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been associated with this CVE. Organizations running Apache Camel in enterprise integration or messaging infrastructure should treat this as a high-priority exposure given the criticality of the vulnerability class, regardless of current attribution gaps.

What To Do

Apply the vendor-supplied patch from Apache for the affected camel-jms and camel-sjms components as soon as it becomes available, prioritizing any internet-facing or externally reachable Camel endpoints that process JMS messages. As an interim workaround, restrict JMS ObjectMessage processing by disabling or filtering ObjectMessage types at the broker or application level where operationally feasible, and avoid accepting JMS messages from untrusted sources. Organizations should audit Camel deployments to identify all routes using JmsBinding with ObjectMessage support. Detection efforts should focus on anomalous JMS message payloads containing serialized Java objects, particularly those referencing known gadget chains associated with Java deserialization attacks such as those in Apache Commons Collections or Spring Framework.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →