CVE-2026-6857 — camel-infinispan Vulnerable to Deserialization of Untrusted Data

Description

A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.

How to fix CVE-2026-6857

To remediate CVE-2026-6857, upgrade the affected package to a fixed version below.

—upgrade to 4.20.0 or later

Is CVE-2026-6857 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.20.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-6857
PATCHgithub.com/apache/camel
WEBaccess.redhat.com/errata/RHSA-2026:17668
WEBaccess.redhat.com/errata/RHSA-2026:22453
WEBaccess.redhat.com