{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6857", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-22T12:43:14.958Z", "datePublished": "2026-04-22T12:55:00.791Z", "dateUpdated": "2026-04-29T07:42:34.620Z"}, "containers": {"cna": {"title": "Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "camel-infinispan", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_quarkus:3"]}, {"vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 4", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "camel-infinispan", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:camel_spring_boot:4"]}, {"vendor": "Red Hat", "product": "Red Hat Fuse 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "camel-infinispan", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_fuse:7"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "camel-infinispan", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "camel-infinispan", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6857", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003", "name": "RHBZ#2460003", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-13T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "timeline": [{"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-29T07:42:34.620Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-22T13:34:17.880468Z", "id": "CVE-2026-6857", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:34:30.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6857", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-22T13:34:17.880468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T13:34:22.726Z"}}], "cna": {"title": "Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization", "credits": [{"lang": "en", "value": "Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:camel_quarkus:3"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel 4 for Quarkus 3", "packageName": "camel-infinispan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:camel_spring_boot:4"], "vendor": "Red Hat", "product": "Red Hat build of Apache Camel for Spring Boot 4", "packageName": "camel-infinispan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_fuse:7"], "vendor": "Red Hat", "product": "Red Hat Fuse 7", "packageName": "camel-infinispan", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "camel-infinispan", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "camel-infinispan", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-13T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-13T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-6857", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003", "name": "RHBZ#2460003", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-29T07:42:34.620Z"}, "x_redhatCweChain": "CWE-502: Deserialization of Untrusted Data"}}, "cveMetadata": {"cveId": "CVE-2026-6857", "state": "PUBLISHED", "dateUpdated": "2026-04-29T07:42:34.620Z", "dateReserved": "2026-04-22T12:43:14.958Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-22T12:55:00.791Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability."}], "id": "CVE-2026-6857", "lastModified": "2026-04-22T21:23:52.620", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-22T13:16:22.583", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-6857"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue.", "bugzilla": {"description": "camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization", "id": "2460003", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2460003"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-6857", "package_state": [{"cpe": "cpe:/a:redhat:camel_quarkus:3", "fix_state": "Affected", "package_name": "camel-infinispan", "product_name": "Red Hat build of Apache Camel 4 for Quarkus 3"}, {"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Affected", "package_name": "camel-infinispan", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Affected", "package_name": "camel-infinispan", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Affected", "package_name": "camel-infinispan", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Affected", "package_name": "camel-infinispan", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-6857\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-6857"], "statement": "This vulnerability has an Important impact on Red Hat products utilizing `camel-infinispan` for remote aggregation. The flaw stems from unsafe deserialization within the ProtoStream remote aggregation repository, which could lead to remote code execution. This affects Red Hat Enterprise Application Platform and Red Hat JBoss Fuse when configured to use `camel-infinispan`.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat build of Apache Camel 4 for Quarkus 3", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_apache_camel_for_quarkus", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Red Hat build of Apache Camel for Spring Boot 4", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_apache_camel_for_spring_boot", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat Fuse 7", "source": "cna", "vendor": "Red Hat"}, "product": "fuse_7", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 89.0, "confidence_source": "matching", "scores": [{"score": 89.0, "source": "matching"}]}, "original": {"product": "Red Hat JBoss Enterprise Application Platform 8", "source": "cna", "vendor": "Red Hat"}, "product": "jboss_enterprise_application_platform", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "source": "cna", "vendor": "Red Hat"}, "product": "jboss_enterprise_application_platform_expansion_pack", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-22T19:23:35.480096+00:00", "value": {"mitigation_remediation": ["Apply the latest Red\u00a0Hat security patch for the affected Camel\u2011infinispan component as released in the vendor\u2019s errata.", "If a patch is not yet available, upgrade to a product release that contains the fix for unsafe deserialization.", "Disable or remove the ProtoStream remote aggregation repository in Camel configuration to eliminate the vulnerable interface.", "Enforce strict user permissions and network segmentation to limit exposure of the Camel services.", "Monitor logs for deserialization attempts and configure intrusion detection rules against the CVE.", "Apply the official Red\u00a0Hat workaround as provided in the advisory, noting that it may not meet all deployment criteria."], "summary": {"action": "Patch ASAP", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected products include Red\u202fHat\u202fFuse\u202f7, Red\u202fHat\u202fJBoss Enterprise Application Platform\u202f8, Red\u202fHat\u202fJBoss Enterprise Application Platform Expansion Pack, Red\u202fHat build of Apache\u00a0Camel\u00a04 for Quarkus\u00a03, and Red\u202fHat build of Apache\u00a0Camel for Spring\u00a0Boot\u00a04. Specific version details are not provided in the advisory.\n", "description_and_impact": "The vulnerability is an unsafe deserialization flaw in Camel\u2011infinispan\u2019s ProtoStream remote aggregation repository that allows a remote attacker with low privileges to send crafted data and gain arbitrary code execution. The flaw can compromise the confidentiality, integrity, and availability of the affected system, giving the attacker full control.\n", "risk_and_exploitability": "The CVSS score is 7.5, indicating a high severity of remote code execution. EPSS data are not available, and the vulnerability is not listed in CISA\u2019s KEV catalog. The likely attack vector is remote, via network\u2011based communication with the Camel\u2011infinispan component, where an attacker sends maliciously crafted serialized data to trigger the flaw."}}}}, "created": "2026-04-22T19:30:24.748405+00:00", "updated": "2026-04-27T20:21:06.116441+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_apache_camel_for_quarkus", "redhat$PRODUCT$build_of_apache_camel_for_spring_boot", "redhat$PRODUCT$fuse_7", "redhat$PRODUCT$jboss_enterprise_application_platform", "redhat$PRODUCT$jboss_enterprise_application_platform_expansion_pack"]}