Issued:

2026-05-14

Updated:

2026-05-14

RHSA-2026:17668 - Critical: Red Hat Build of Apache Camel 4.18.1 for Spring Boot release.

Synopsis

Critical: Red Hat Build of Apache Camel 4.18.1 for Spring Boot release.

Type/Severity

Security Advisory Critical

Topic

Red Hat build of Apache Camel 4.18.1 for Spring Boot patch release and security update is now available.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat build of Apache Camel 4.18.1 for Spring Boot patch release and security update is now available.

The purpose of this text-only errata is to inform you about the security issues fixed.

Security Fix(es):

• artemis-server: Apache Artemis, Apache ActiveMQ Artemis: Message injection and exfiltration due to missing authentication (CVE-2026-27446)

• spring-boot: Spring Boot: Authentication bypass via misconfigured Health Group additional path (CVE-2026-22731)

• plexus-utils: Plexus-utils: Directory Traversal in extractFile method (CVE-2025-67030)

• netty-codec-http: Netty: Request smuggling via incorrect parsing of HTTP/1.1 chunked transfer encoding extension values (CVE-2026-33870)

• netty-codec-http: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

• netty-codec-http2: Netty: Denial of Service via HTTP/2 CONTINUATION frame flood (CVE-2026-33871)

• jetty-ee10-annotations: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)

• jetty-ee10-apache-jsp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)

• jetty-ee10-plus: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)

• jetty-ee10-servlet: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)

• jetty-ee10-servlets: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)

• jetty-ee10-webapp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables (CVE-2026-5795)

• kafka-clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management (CVE-2026-35554)

• camel-infinispan: camel-infinispan: Remote Code Execution via Unsafe Deserialization (CVE-2026-6857)

• bcprov-debug-jdk15on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

• bcprov-jdk15on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

• bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

• bcprov-lts8on: GOSTCTR implementation unable to process more than 255 blocks correctly (CVE-2025-14813)

• bcpkix-jdk15on: PKIX draft CompositeVerifier accepts empty signature sequence as valid (CVE-2026-5588)

• bcpkix-jdk18on: PKIX draft CompositeVerifier accepts empty signature sequence as valid (CVE-2026-5588)

• bcpg-jdk18on: unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion (CVE-2026-3505)

• bcprov-debug-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)

• bcprov-jdk15on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)

• bcprov-jdk18on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)

• bcprov-lts8on: LDAP injection vulnerability in LDAPStoreHelper.java (CVE-2026-0636)

• spring-boot: Spring Boot: Weak pseudo-random number generation can lead to information disclosure. (CVE-2026-40975)

• camel-mail: Camel-Mail: Altered application behavior via header injection (CVE-2026-33454)

• camel-jms: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)

• camel-google-pubsub: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)

• camel-http: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)

• camel-http-base: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)

• camel-http-common: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)

• camel-http-starter: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection (CVE-2026-40453)

• camel-jms: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage (CVE-2026-40860)

• camel-amqp: Apache Camel: Remote Code Execution via deserialization of JMS ObjectMessage (CVE-2026-40860)

• camel-http-base: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)

• camel-http-common: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)

• camel-http: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)

• camel-http-starter: Apache Camel: Information disclosure and authentication bypass in embedded HTTP/management servers (CVE-2026-40022)

• camel-infinispan-common: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data (CVE-2026-40858)

• camel-infinispan-embedded: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data (CVE-2026-40858)

• camel-infinispan: Apache Camel camel-infinispan: Arbitrary code execution via deserialization of untrusted data (CVE-2026-40858)

• mina-core: Apache MINA: Arbitrary code execution via classname allowlist bypass (CVE-2026-41635)

• spring-boot: Spring Boot: Remote code execution via timing attack in DevTools remote secret comparison (CVE-2026-40972)

• camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection (CVE-2026-33453)

• jetty-http: HTTP request smuggling via chunked extension quoted-string parsing (CVE-2026-2332)

• spring-boot: Spring Boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory (CVE-2026-40973)

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

Fixes

• This content is not included.BZ - 2444320
• This content is not included.BZ - 2449290
• This content is not included.BZ - 2451409
• This content is not included.BZ - 2452453
• This content is not included.BZ - 2452456
• This content is not included.BZ - 2455916
• This content is not included.BZ - 2456519
• This content is not included.BZ - 2458187
• This content is not included.BZ - 2458634
• This content is not included.BZ - 2458638
• This content is not included.BZ - 2458640
• This content is not included.BZ - 2458641
• This content is not included.BZ - 2460003
• This content is not included.BZ - 2463172
• This content is not included.BZ - 2463173
• This content is not included.BZ - 2463177
• This content is not included.BZ - 2463178
• This content is not included.BZ - 2463179
• This content is not included.BZ - 2463181
• This content is not included.BZ - 2463184
• This content is not included.BZ - 2463330
• This content is not included.BZ - 2463332

CVEs

• CVE-2025-14813
• CVE-2025-67030
• CVE-2026-0636
• CVE-2026-2332
• CVE-2026-3505
• CVE-2026-5588
• CVE-2026-5795
• CVE-2026-6857
• CVE-2026-22731
• CVE-2026-27446
• CVE-2026-33453
• CVE-2026-33454
• CVE-2026-33870
• CVE-2026-33871
• CVE-2026-35554
• CVE-2026-40022
• CVE-2026-40453
• CVE-2026-40858
• CVE-2026-40860
• CVE-2026-40972
• CVE-2026-40973
• CVE-2026-40975
• CVE-2026-41635

References

• https://access.redhat.com/security/updates/classification/#critical

Additional information

• The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at Security Contacts and Procedures.
• Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.