{"api_version":"1","generated_at":"2026-04-23T02:36:32+00:00","cve":"CVE-2026-6857","urls":{"html":"https://cve.report/CVE-2026-6857","api":"https://cve.report/api/cve/CVE-2026-6857.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-6857","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-6857"},"summary":{"title":"Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization","description":"A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.","state":"PUBLISHED","assigner":"redhat","published_at":"2026-04-22 13:16:22","updated_at":"2026-04-22 21:23:52"},"problem_types":["CWE-502","CWE-502 Deserialization of Untrusted Data"],"metrics":[{"version":"3.1","source":"secalert@redhat.com","type":"Primary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","data":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-6857","name":"https://access.redhat.com/security/cve/CVE-2026-6857","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460003","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2460003","refsource":"secalert@redhat.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-6857","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6857","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Apache Camel 4 for Quarkus 3","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat build of Apache Camel for Spring Boot 4","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat Fuse 7","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform 8","version":"","platforms":[]},{"source":"CNA","vendor":"Red Hat","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","version":"","platforms":[]}],"timeline":[{"source":"CNA","time":"2026-04-13T00:00:00.000Z","lang":"en","value":"Reported to Red Hat."},{"source":"CNA","time":"2026-04-13T00:00:00.000Z","lang":"en","value":"Made public."}],"solutions":[],"workarounds":[{"source":"CNA","title":"","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.","time":"","lang":"en"}],"exploits":[],"credits":[{"source":"CNA","value":"Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue.","lang":"en"}],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-6857","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-22T13:34:17.880468Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-22T13:34:30.098Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:camel_quarkus:3"],"defaultStatus":"affected","packageName":"camel-infinispan","product":"Red Hat build of Apache Camel 4 for Quarkus 3","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:camel_spring_boot:4"],"defaultStatus":"affected","packageName":"camel-infinispan","product":"Red Hat build of Apache Camel for Spring Boot 4","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/downloads/content/package-browser/","cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","packageName":"camel-infinispan","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","cpes":["cpe:/a:redhat:jboss_enterprise_application_platform:8"],"defaultStatus":"affected","packageName":"camel-infinispan","product":"Red Hat JBoss Enterprise Application Platform 8","vendor":"Red Hat"},{"collectionURL":"https://access.redhat.com/jbossnetwork/restricted/listSoftware.html","cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","packageName":"camel-infinispan","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"}],"credits":[{"lang":"en","value":"Red Hat would like to thank Feng Ning (Innora Pte. Ltd.) for reporting this issue."}],"datePublic":"2026-04-13T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"HIGH","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-502","description":"Deserialization of Untrusted Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-22T12:55:00.791Z","orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat"},"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-6857"},{"name":"RHBZ#2460003","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2460003"}],"timeline":[{"lang":"en","time":"2026-04-13T00:00:00.000Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-13T00:00:00.000Z","value":"Made public."}],"title":"Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_generator":{"engine":"cvelib 1.8.0"},"x_redhatCweChain":"CWE-502: Deserialization of Untrusted Data"}},"cveMetadata":{"assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","assignerShortName":"redhat","cveId":"CVE-2026-6857","datePublished":"2026-04-22T12:55:00.791Z","dateReserved":"2026-04-22T12:43:14.958Z","dateUpdated":"2026-04-22T13:34:30.098Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-22 13:16:22","lastModifiedDate":"2026-04-22 21:23:52","problem_types":["CWE-502","CWE-502 Deserialization of Untrusted Data"],"metrics":{"cvssMetricV31":[{"source":"secalert@redhat.com","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.6,"impactScore":5.9}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"6857","Ordinal":"1","Title":"Camel-infinispan: camel-infinispan: remote code execution via un","CVE":"CVE-2026-6857","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"6857","Ordinal":"1","NoteData":"A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.","Type":"Description","Title":"Camel-infinispan: camel-infinispan: remote code execution via un"}]}}}