Volerion logoVolerion
Volerion logoVolerion

Apache Camel Consul Component Unsafe Java Deserialization Vulnerability in ConsulRegistry Allows Arbitrary Code Execution

Vulnerability

A vulnerability exists in the Apache Camel Consul component, specifically within the ConsulRegistry class. This issue arises because the component reads Java-serialized data from the Consul KV store and passes it to the ObjectInputStream.readObject() method without proper input filtering. An attacker with write access to the Consul KV store can inject a malicious serialized object that, when deserialized during a registry lookup, executes arbitrary code within the Camel process. This vulnerability is similar to issues previously addressed in other Camel components and was inadvertently overlooked during those remediations.

Impact

Exploitation of this vulnerability allows for arbitrary code execution within the Apache Camel process.

Remediation

Users should upgrade to Apache Camel version 4.19.0. For those on the 4.14.x LTS release stream, upgrade to 4.14.6. If on the 4.18.x release stream, upgrade to 4.18.1.

Added: Apr 27, 2026, 11:20 AM
Updated: Apr 27, 2026, 11:20 AM

Vulnerability Rating

Custom Algorithm
spread
5.4
impact
7.5
exploitability
2.3
remediation
7.7
relevance
6.7
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.