Fedora Account System
Red Hat Associate
Red Hat Customer
Unsafe deserialization in camel-infinispan ProtoStream remote aggregation repository. DefaultExchangeHolderUtils.deserialize() uses ClassLoadingAwareObjectInputStream.readObject() without ObjectInputFilter. Same pattern as CVE-2024-22369, CVE-2024-23114, CVE-2026-25747. Verified on Camel 4.10.0 + Infinispan 15.1.4. Reported to security and MITRE CVE Request #2024308.
This issue has been addressed in the following products: Red Hat build of Apache Camel 4.18.1 for Spring Boot 3.5.14 Via RHSA-2026:17668 https://access.redhat.com/errata/RHSA-2026:17668
This issue has been addressed in the following products: Red Hat Build of Apache Camel 4.18 for Quarkus 3.33 Via RHSA-2026:22453 https://access.redhat.com/errata/RHSA-2026:22453