CVE-2026-42527

HIGH LAB

Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure

Title source: cna
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-42527. PoCs published by oscerd.

AI-analyzed exploit summary This repository provides a functional proof-of-concept for CVE-2026-42527, demonstrating a DNS side-channel attack via deserialization of a HashMap containing a java.net.URL key in Apache Camel's mina component. The exploit leverages a permissive default ObjectInputFilter to trigger DNS resolution of an attacker-controlled host.

Description

Deserialization of Untrusted Data vulnerability in Apache Camel. The default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository). This issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).

Exploits (1)

github WORKING POC
by oscerd · javapoc
https://github.com/oscerd/CVE-2026-42527

This repository provides a functional proof-of-concept for CVE-2026-42527, demonstrating a DNS side-channel attack via deserialization of a HashMap containing a java.net.URL key in Apache Camel's mina component. The exploit leverages a permissive default ObjectInputFilter to trigger DNS resolution of an attacker-controlled host.

Classification
Working Poc 99%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Apache Camel (versions 4.18.2 and others with permissive default ObjectInputFilter)
No auth needed
Prerequisites: Apache Camel with mina component using the vulnerable default ObjectInputFilter · Network access to the Camel mina TCP consumer port (5555 in the PoC)
mistral-large-3 · analyzed Jul 11, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0055
EPSS Percentile 42.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Lab Environment

COMMUNITY
Community Lab
docker pull eclipse-temurin:21-jre

Details

CWE
CWE-502
Status published
Products (5)
apache/camel 4.20.0
apache/camel 4.14.0 - 4.14.8
Apache Software Foundation/Apache Camel 4.14.0 - 4.14.8
Apache Software Foundation/Apache Camel 4.15.0 - 4.18.3
Apache Software Foundation/Apache Camel 4.19.0 - 4.21.0
Published Jul 06, 2026
Tracked Since Jul 06, 2026