{"id":"CVE-2026-42527","summary":"Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure","details":"Deserialization of Untrusted Data vulnerability in Apache Camel.\n\nThe default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository).\nThis issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).","modified":"2026-07-15T02:20:00.723858876Z","published":"2026-07-06T07:55:06.159Z","database_specific":{"cwe_ids":["CWE-502"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42527.json","unresolved_ranges":[{"extracted_events":[{"introduced":"4.14.0"},{"fixed":"4.14.8"},{"introduced":"4.15.0"},{"fixed":"4.18.3"},{"introduced":"4.19.0"},{"fixed":"4.21.0"}],"source":"AFFECTED_FIELD"},{"source":"DESCRIPTION","extracted_events":[{"introduced":"4.14.0"},{"fixed":"4.14.8"},{"introduced":"4.15.0"},{"fixed":"4.18.3"},{"introduced":"4.19.0"},{"fixed":"4.21.0"}]}],"cna_assigner":"apache"},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/07/05/4"},{"type":"WEB","url":"https://repo.maven.apache.org/maven2"},{"type":"ADVISORY","url":"https://camel.apache.org/security/CVE-2026-42527.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42527.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42527"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/apache/camel","events":[{"introduced":"669dd75eeffe052dcfc9f3f94369e501d275daf4"},{"fixed":"1451d25df0fbfc7020514dc30f8ec9a59f759ae9"},{"introduced":"dd22f752e240bd1343af15c775ef02d754f6df38"},{"fixed":"ee3bff8b44b38deff7b4f1b665691954e08b2ccd"},{"introduced":"57e91322ac62438d01ca6fd05b76e52866bcaa5d"},{"last_affected":"57e91322ac62438d01ca6fd05b76e52866bcaa5d"}],"database_specific":{"extracted_events":[{"introduced":"4.14.0"},{"fixed":"4.14.8"},{"introduced":"4.18.0"},{"fixed":"4.18.3"},{"introduced":"4.20.0"},{"last_affected":"4.20.0"}],"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*","cpe:2.3:a:apache:camel:4.20.0:*:*:*:*:*:*:*"]}}],"versions":["4.20.0","camel-4.20.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42527.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}