CVE-2026-6857: Camel-infinispan: camel-infinispan: remote code execution via unsafe deserialization
A flaw was found in camel-infinispan. This vulnerability involves unsafe deserialization in the ProtoStream remote aggregation repository. A remote attacker with low privileges could exploit this by sending specially crafted data, leading to arbitrary code execution. This allows the attacker to gain full control over the affected system, impacting its confidentiality, integrity, and availability.
Security readout for executives and security teams
Plain-English summary
This issue can let a low-privileged remote attacker execute code through unsafe deserialization in camel-infinispan's ProtoStream remote aggregation repository. If the affected integration is exposed to untrusted or broadly authenticated users, compromise could affect confidentiality, integrity, and availability. The provided sources do not show active exploitation.
Executive priority
High priority for affected Camel or Fuse deployments because successful exploitation could mean full system compromise. The evidence supports urgent validation and vendor-guided remediation, but not an emergency active-exploitation response based solely on the provided sources.
Technical view
CVE-2026-6857 is CWE-502 unsafe deserialization in camel-infinispan. The described path is the ProtoStream remote aggregation repository, where specially crafted data may trigger arbitrary code execution. CVSS 3.1 is 7.5: network reachable, high complexity, low privileges required, no user interaction, high C/I/A impact.
Likely exposure
Likely exposure is limited to environments using affected Red Hat products with camel-infinispan, especially Red Hat build of Apache Camel 4 for Quarkus 3 and Red Hat Fuse 7. Several listed Red Hat products are marked unaffected in the source bundle.
Exploitation context
The bundle says exploitation requires low privileges and specially crafted data, with high attack complexity. CISA KEV status is false, and no cited source in the bundle confirms exploitation in the wild. Treat exploit maturity as unconfirmed from the provided evidence.
Researcher notes
Key constraints are AC:H and PR:L, so practical exploitability depends on reachable integration paths and permissions. The source bundle does not provide fixed versions, proof-of-concept details, or field exploitation evidence. Product status is Red Hat-specific and should not be generalized to all Apache Camel deployments.
Mitigation direction
Review RHSA-2026:17668 and RHSA-2026:22453 for vendor remediation details.
Prioritize affected systems using camel-infinispan remote aggregation repositories.
Restrict access to Infinispan-backed Camel integration endpoints where feasible.
Apply vendor-provided updates or mitigations when Red Hat guidance confirms applicability.
Monitor Red Hat CVE and Bugzilla entries for updated affected-version guidance.
Validation and detection
Inventory Red Hat Camel, Camel Quarkus, and Fuse deployments for camel-infinispan usage.
Check whether ProtoStream remote aggregation repository features are enabled.
Compare installed product streams against Red Hat's affected and unaffected status.
Review authentication boundaries for users able to send data to affected components.
Confirm remediation state through package/product versions after applying vendor guidance.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-502: Code execution behavior lookup
Code execution and unsafe deserialization weaknesses often justify reviewing execution behavior and process telemetry. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
2CVSS vectors
7Timeline events
2ADP providers
6Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: total
CVSS vector scores
2 official scores
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-502 · source CWE mapping
Deserialization of Untrusted Data
Deserialization of Untrusted Data represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.