{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": [
              "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*",
              "cpe:2.3:a:apache:camel:4.20.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
              {
                "introduced": "4.14.0"
              },
              {
                "fixed": "4.14.8"
              },
              {
                "introduced": "4.18.0"
              },
              {
                "fixed": "4.18.3"
              },
              {
                "introduced": "4.20.0"
              },
              {
                "last_affected": "4.20.0"
              }
            ],
            "source": [
              "CPE_RANGE",
              "CPE_STRING"
            ]
          },
          "events": [
            {
              "introduced": "669dd75eeffe052dcfc9f3f94369e501d275daf4"
            },
            {
              "fixed": "1451d25df0fbfc7020514dc30f8ec9a59f759ae9"
            },
            {
              "introduced": "dd22f752e240bd1343af15c775ef02d754f6df38"
            },
            {
              "fixed": "ee3bff8b44b38deff7b4f1b665691954e08b2ccd"
            },
            {
              "introduced": "57e91322ac62438d01ca6fd05b76e52866bcaa5d"
            },
            {
              "last_affected": "57e91322ac62438d01ca6fd05b76e52866bcaa5d"
            }
          ],
          "repo": "https://github.com/apache/camel",
          "type": "GIT"
        }
      ],
      "versions": [
        "4.20.0"
      ]
    }
  ],
  "database_specific": {
    "cna_assigner": "apache",
    "cwe_ids": [
      "CWE-502"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42527.json",
    "unresolved_ranges": [
      {
        "extracted_events": [
          {
            "introduced": "4.14.0"
          },
          {
            "fixed": "4.14.8"
          },
          {
            "introduced": "4.15.0"
          },
          {
            "fixed": "4.18.3"
          },
          {
            "introduced": "4.19.0"
          },
          {
            "fixed": "4.21.0"
          }
        ],
        "source": "AFFECTED_FIELD"
      },
      {
        "extracted_events": [
          {
            "introduced": "4.14.0"
          },
          {
            "fixed": "4.14.8"
          },
          {
            "introduced": "4.15.0"
          },
          {
            "fixed": "4.18.3"
          },
          {
            "introduced": "4.19.0"
          },
          {
            "fixed": "4.21.0"
          }
        ],
        "source": "DESCRIPTION"
      }
    ]
  },
  "details": "Deserialization of Untrusted Data vulnerability in Apache Camel.\n\nThe default ObjectInputFilter pattern shipped with several Apache Camel components for defense-in-depth deserialization filtering ('java.**;javax.**;org.apache.camel.**;!*', or the no-'javax.**' variant in the aggregation-repository components) uses a recursive 'java.**' glob that admits classes whose hashCode/equals/readObject methods perform network I/O, notably java.net.URL and java.net.InetAddress. When an attacker can deliver a Java-serialized payload to an affected Camel consumer, deserialization of a HashMap (or any collection that calls hashCode on its elements) containing java.net.URL keys causes the JVM to issue DNS queries to the attacker-supplied host during the deserialization side-effect. The class-level filter check passes because the resulting object's class (HashMap) is allow-listed; the DNS query is observable on an attacker-controlled DNS server, providing an out-of-band side channel. The exposure is highest on the camel-jms family because JmsBinding.extractBodyFromJms invokes ObjectMessage.getObject() unconditionally when mapJmsMessage=true (default). Affected components: camel-jms, camel-sjms, camel-amqp, camel-mina, camel-netty, camel-netty-http, camel-vertx-http, camel-infinispan, and the aggregation repository components camel-leveldb, camel-cassandraql, camel-consul, camel-sql (JDBC aggregation repository).\nThis issue affects Apache Camel: from 4.14.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to a version that contains the CAMEL-23372 fix once available: 4.21.0 for the 4.21.x line, 4.18.3 for the 4.18.x line, and 4.14.8 for the 4.14.x line. For deployments that cannot upgrade immediately, configure a JMS-provider-side allow-list (Apache ActiveMQ Artemis 'deserializationAllowList' / 'deserializationDenyList', Apache ActiveMQ Classic 'org.apache.activemq.SERIALIZABLE_PACKAGES') as the primary mitigation, and/or override the in-code default via the endpoint-level 'deserializationFilter' option or the JVM-wide '-Djdk.serialFilter' system property with an explicit deny: '!java.net.**;java.**;javax.**;org.apache.camel.**;!*' (or '!java.net.**;java.**;org.apache.camel.**;!*' for the aggregation-repository components, which do not include javax.**).",
  "id": "CVE-2026-42527",
  "modified": "2026-07-15T01:49:13.645525888Z",
  "published": "2026-07-06T07:55:06.159Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/05/4"
    },
    {
      "type": "WEB",
      "url": "https://repo.maven.apache.org/maven2"
    },
    {
      "type": "ADVISORY",
      "url": "https://camel.apache.org/security/CVE-2026-42527.html"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42527.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42527"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables DNS-based information disclosure"
}