SCA: security update for org.apache.camel:camel-infinispan (GHSA-4xwx-hvv7-7prj)

high Tenable Self-Hosted Container Security Plugin ID 441267

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read
from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An
attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized
Java object that, when read during normal aggregation repository operations such as get or recover,
results in arbitrary code execution in the context of the application. This issue affects Apache Camel:
from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to
upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then
they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are
suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers
to the various commits that resolved the issue, and have more details. This issue follows the same class
of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.
(CVE-2026-40858)

Solution

Update the org.apache.camel:camel-infinispan library and its related packages to version 4.14.7 or later.

See Also

https://github.com/advisories/GHSA-4xwx-hvv7-7prj

Plugin Details

Severity: High

ID: 441267

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 5/6/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.03

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2026-40858

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/27/2026

Vulnerability Publication Date: 4/27/2026

Reference Information

CVE: CVE-2026-40858

cwe: CWE-502