JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values v…

CVE-2026-40860 is a critical remote code execution vulnerability in Apache Camel's JMS components. The vulnerability occurs in JmsBinding.extractBodyFromJms() which deserializes incoming JMS ObjectMessage payloads without proper filtering. When mapJmsMessage option is enabled (default) and Camel acts as JMS consumer, attackers can publish crafted ObjectMessages to achieve RCE. Multiple Camel JMS components are affected including camel-jms, camel-sjms, camel-amqp, camel-activemq. Versions 3.0.0 to 4.14.6, 4.15.0 to 4.18.1, and 4.19.0 to 4.19.x are vulnerable. Fixed versions are 4.20.0, 4.14.7, and 4.18.2.