Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
Apache Camel Allows Malicious Data to Run Code on Your Server
CVE-2026-25747
GHSA-429q-mrc4-38fr
Summary
A security issue in Apache Camel's database system allows attackers to inject malicious code that can execute on your server. This affects older versions of Apache Camel, and you should update to the latest version to fix the problem. To stay safe, upgrade to Apache Camel version 4.18.0 or, if you're using a long-term support release, update to version 4.10.9 or 4.14.5, respectively.
What to do
- Update apache org.apache.camel:camel-leveldb to version 4.10.9.
- Update apache org.apache.camel:camel-leveldb to version 4.14.5.
- Update apache org.apache.camel:camel-leveldb to version 4.18.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| apache | org.apache.camel:camel-leveldb | > 3.0.0 , <= 4.10.9 | 4.10.9 |
| apache | org.apache.camel:camel-leveldb | > 4.11.0 , <= 4.14.5 | 4.14.5 |
| apache | org.apache.camel:camel-leveldb | > 4.15.0 , <= 4.18.0 | 4.18.0 |
| apache | camel | > 3.0.0 , <= 4.10.9 | – |
| apache | camel | > 4.11.0 , <= 4.14.5 | – |
| apache | camel | > 4.15.0 , <= 4.18.0 | – |
Original title
Apache Camel Deserializes Untrusted Data in its LevelDB Component
Original description
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5
The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.
This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5
nvd CVSS3.1
8.8
Vulnerability type
CWE-502
Deserialization of Untrusted Data
- https://nvd.nist.gov/vuln/detail/CVE-2026-25747
- https://github.com/apache/camel/commit/0e3ac39e20416c91af6df2cfce3f7d795e75ad89
- https://github.com/apache/camel/commit/5f343367f7b25646b7d12be26c3e87381c7a7ecb
- https://github.com/apache/camel/commit/af2f2e9571b3b03a36b771bd9eb10427886d9636
- https://issues.apache.org/jira/browse/CAMEL-22966
- https://github.com/advisories/GHSA-429q-mrc4-38fr
- https://camel.apache.org/security/CVE-2026-25747.html Vendor Advisory
- https://github.com/oscerd/CVE-2026-25747 Exploit Third Party Advisory
- http://www.openwall.com/lists/oss-security/2026/02/18/6 Mailing List Third Party Advisory
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026