Deserialization in Red Hat Build Of Apache Camel 4.18.1 For Spring Boot 3.5.14
CVE-2026-6857
A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading…
Vulnerability class: Insecure Deserialization
EPSS: 0.007 (71.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Red Hat Build Of Apache Camel 4.18.1 For Spring Boot 3.5.14
- Red Hat Build Of Apache Camel 4.18 For Quarkus 3.33
- Red Hat Build Of Apache Camel 4 For Quarkus 3
- Red Hat Build Of Apache Camel For Spring Boot 4
- Red Hat Fuse 7
- Red Hat Jboss Enterprise Application Platform 8
- Red Hat Jboss Enterprise Application Platform Expansion Pack
Weakness classification (CWE)
Public proof-of-concept exploits
References
- secalert@redhat.com (x_refsource_REDHAT, vdb-entry)
- secalert@redhat.com (x_refsource_REDHAT, issue-tracking)
- secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
- secalert@redhat.com (x_refsource_REDHAT, vendor-advisory)
Frequently asked questions
- What is CVE-2026-6857?
- CVE-2026-6857 is a high-severity vulnerability in Red Hat Build Of Apache Camel 4.18.1 For Spring Boot 3.5.14, classified under Deserialization of Untrusted Data. CVSS score: 7.5/10. Published 2026-04-22.
- How severe is CVE-2026-6857?
- High severity. CVSS v3 base score is 7.5 out of 10.
- Is CVE-2026-6857 known to be exploited?
- 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.