CVE-2026-27172 Overview
A critical insecure deserialization vulnerability has been identified in Apache Camel's camel-consul component. The ConsulRegistry class (org.apache.camel.component.consul.ConsulRegistry) and its inner ConsulRegistryUtils.deserialize method read Java-serialized values from the Consul KV store and pass them directly to ObjectInputStream.readObject() without configuring an ObjectInputFilter. This oversight allows an attacker with write access to the Consul KV store backing a Camel ConsulRegistry instance to inject malicious serialized Java objects, leading to arbitrary code execution within the Camel process.
This vulnerability mirrors a class of deserialization issues previously addressed in other Camel components under CVE-2024-22369, CVE-2024-23114, and CVE-2026-25747, but was overlooked during the original remediation efforts.
Critical Impact
Attackers with Consul KV store write access can achieve remote code execution in Apache Camel applications by injecting malicious serialized Java objects.
Affected Products
- Apache Camel versions from 3.0.0 before 4.14.6
- Apache Camel versions from 4.15.0 before 4.18.1
- Apache Camel camel-consul component
Discovery Timeline
- April 27, 2026 - CVE-2026-27172 published to NVD
- April 28, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27172
Vulnerability Analysis
This vulnerability exists in the ConsulRegistry class within the Apache Camel camel-consul component. When Camel applications use Consul as a registry backend, they retrieve key-value pairs from the Consul KV store. The ConsulRegistryUtils.deserialize method processes these stored values by passing them directly to Java's native ObjectInputStream.readObject() method without implementing any input filtering or validation.
Java deserialization vulnerabilities are particularly dangerous because the deserialization process can trigger side effects through specially crafted object graphs. An attacker can leverage existing classes (gadget chains) in the application's classpath to achieve arbitrary code execution during the deserialization process itself, before any application-level validation occurs.
The vulnerability is exploitable remotely via network access and requires low privileges (write access to Consul KV store). No user interaction is required for exploitation, and successful attacks can result in complete compromise of confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause is the absence of an ObjectInputFilter when deserializing data from the Consul KV store. The ConsulRegistryUtils.deserialize method directly instantiates an ObjectInputStream and calls readObject() on untrusted data without restricting which classes can be deserialized. This is classified as CWE-502 (Deserialization of Untrusted Data).
Modern secure deserialization practices require implementing allowlists that restrict deserialization to only expected, safe classes. The Apache Camel team had previously addressed this pattern in other components but missed the camel-consul component during those remediation efforts.
Attack Vector
The attack vector requires an adversary to have write access to the Consul KV store that backs the vulnerable Camel application's ConsulRegistry. The attacker writes a malicious serialized Java object (constructed using a gadget chain compatible with the target application's classpath) to a key that the Camel application will subsequently read.
When the Camel application performs a registry lookup against that key, the malicious payload is deserialized, triggering the gadget chain and executing arbitrary code with the privileges of the Camel process. Common gadget chains from libraries like Apache Commons Collections, Spring Framework, or other dependencies present in typical Java applications can be leveraged for exploitation.
Detection Methods for CVE-2026-27172
Indicators of Compromise
- Unexpected or suspicious entries in the Consul KV store, particularly those containing Base64-encoded or binary serialized Java objects
- Anomalous process spawning or network connections originating from Camel application processes
- Unusual memory consumption patterns or JVM crashes that may indicate deserialization exploitation attempts
- Consul KV store access logs showing write operations from unauthorized or unexpected sources
Detection Strategies
- Monitor Consul KV store audit logs for write operations, especially to keys used by Camel registry lookups
- Implement Java agent-based monitoring to detect suspicious deserialization activity using tools like RASP (Runtime Application Self-Protection)
- Deploy network segmentation and access controls to limit which systems can write to Consul KV stores
- Utilize SentinelOne's behavioral AI to detect anomalous process behavior indicative of code execution following deserialization
Monitoring Recommendations
- Enable verbose logging for the camel-consul component to track registry lookup operations
- Configure alerting on Consul KV store modifications to sensitive namespaces
- Implement application performance monitoring (APM) to detect unusual execution patterns in Camel routes
How to Mitigate CVE-2026-27172
Immediate Actions Required
- Upgrade Apache Camel to version 4.19.0 or later immediately
- For users on the 4.14.x LTS release stream, upgrade to version 4.14.6 or later
- For users on the 4.18.x release stream, upgrade to version 4.18.1 or later
- Review Consul KV store access controls and restrict write permissions to trusted systems only
Patch Information
Apache has released patched versions that implement proper ObjectInputFilter configuration to prevent deserialization of malicious objects. Users should upgrade to one of the following versions:
- Version 4.19.0 - Recommended for latest features and security fixes
- Version 4.14.6 - For users on the 4.14.x Long-Term Support release stream
- Version 4.18.1 - For users on the 4.18.x release stream
For detailed information, see the Apache Camel CVE-2026-27172 Advisory.
Workarounds
- Restrict network access to the Consul KV store using firewall rules and ACLs to limit which systems can write to it
- Implement Consul ACL policies that enforce least-privilege access for Camel applications
- If possible, migrate to an alternative registry implementation that does not use Java serialization
- Deploy a Web Application Firewall (WAF) or network inspection tools to monitor for suspicious traffic to Consul endpoints
# Example Consul ACL policy to restrict KV write access
# Create a policy file (camel-readonly.hcl) with read-only permissions
cat << 'EOF' > camel-readonly.hcl
key_prefix "camel/" {
policy = "read"
}
EOF
# Apply the policy to your Consul cluster
consul acl policy create -name "camel-readonly" -rules @camel-readonly.hcl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
