Consul KV write access becomes RCE in Apache Camel ConsulRegistry
TL;DR - org.apache.camel:camel-consul feeds Consul KV bytes directly into ObjectInputStream.readObject() with no ObjectInputFilter. Write something malicious into the KV store and the next registry lookup executes your code inside the Camel process.
What happened
Apache Camel is a Java integration framework. The camel-consul component connects Camel routes to HashiCorp Consul, including a service registry backed by Consul KV. That registry is where CVE-2026-27172 lives.
ConsulRegistryUtils.deserialize reads Base64-encoded values from the Consul KV store and passes them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. There is no type gating. If an attacker can write a crafted serialized object into the Consul KV prefix used by a Camel ConsulRegistry, the next call to lookupByName or a related lookup deserializes it - and runs attacker-controlled code in the Camel JVM.
| Item | Detail |
|---|---|
| Affected component | org.apache.camel:camel-consul (ConsulRegistry) |
| Affected versions | 3.0.0 to before 4.14.6; 4.15.0 to before 4.18.1 |
| Severity (vendor) | High |
This is the same bug class Camel has had to stamp out repeatedly: reading attacker-influenced bytes from a backing store and deserializing them as Java objects with no filter.
Who is impacted
- Any application using
camel-consulwith theConsulRegistrylookup paths against a Consul KV store that an attacker or compromised principal can write to. - Environments where Consul KV ACLs are broad - shared clusters, multi-tenant KV prefixes, or automation tokens with wide write permissions.
- Specifically, these version ranges:
org.apache.camel:camel-consul3.0.0to before4.14.6org.apache.camel:camel-consul4.15.0to before4.18.1
What to do now
- Upgrade. The vendor guidance is:
"Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1."
- Find every place
camel-consulis deployed. Check SBOM outputs, Maven dependency trees, and container images. Flag services usingConsulRegistryexplicitly. - Use this as a prompt to audit your Consul KV ACL policies. Apply least-privilege write access, especially to prefixes used by Camel registries.
- Review recent KV write activity in the relevant prefixes for unexpected keys or values.
- If you suspect exposure, treat it as potential code execution in the Camel process. Rotate any credentials reachable from that runtime: service tokens, downstream API keys, database credentials.
Additional Information
- Apache Camel security advisory:
https://camel.apache.org/security/CVE-2026-27172.html - Tracking ticket:
https://issues.apache.org/jira/browse/CAMEL-23029
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.