CVE-2026-40048: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel PQC
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
AI Analysis
Technical Summary
The vulnerability in Apache Camel PQC involves insecure deserialization of untrusted data in the FileBasedKeyLifecycleManager class. Specifically, it deserializes <keyId>.key files using java.io.ObjectInputStream without any ObjectInputFilter or class-loading restrictions, allowing malicious serialized objects to execute code before type checks occur. An attacker who can write to the key directory—via path traversal, misconfigured permissions, compromised provisioning, or symlink attacks—can exploit this to achieve arbitrary code execution within the application context. Affected versions are Apache Camel PQC 4.18.0 through before 4.18.2 and 4.19.0 through before 4.20.0. The vulnerability is addressed in versions 4.18.2 and 4.20.0 by switching to a safer key storage format using PKCS#8 and X.509 Base64 JSON encoding.
Potential Impact
Successful exploitation allows an attacker with write access to the key directory to execute arbitrary code within the Apache Camel application context, potentially leading to full compromise of the affected system. The vulnerability impacts confidentiality, integrity, and availability, as indicated by the CVSS vector (C:H/I:H/A:H). No known exploits in the wild have been reported to date.
Mitigation Recommendations
Users should upgrade affected Apache Camel PQC versions to 4.20.0 or later, or to 4.18.2 if using the 4.18.x LTS stream, as these versions replace the vulnerable deserialization mechanism with secure Base64 JSON encoding of keys. Patch status is not explicitly stated but the vendor advisory recommends upgrading to these fixed versions. Until upgraded, restrict write access to the key directory to trusted users only to prevent exploitation.
CVE-2026-40048: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel PQC
Description
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
CVSS v3.1
Score 7.8high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel PQC involves insecure deserialization of untrusted data in the FileBasedKeyLifecycleManager class. Specifically, it deserializes <keyId>.key files using java.io.ObjectInputStream without any ObjectInputFilter or class-loading restrictions, allowing malicious serialized objects to execute code before type checks occur. An attacker who can write to the key directory—via path traversal, misconfigured permissions, compromised provisioning, or symlink attacks—can exploit this to achieve arbitrary code execution within the application context. Affected versions are Apache Camel PQC 4.18.0 through before 4.18.2 and 4.19.0 through before 4.20.0. The vulnerability is addressed in versions 4.18.2 and 4.20.0 by switching to a safer key storage format using PKCS#8 and X.509 Base64 JSON encoding.
Potential Impact
Successful exploitation allows an attacker with write access to the key directory to execute arbitrary code within the Apache Camel application context, potentially leading to full compromise of the affected system. The vulnerability impacts confidentiality, integrity, and availability, as indicated by the CVSS vector (C:H/I:H/A:H). No known exploits in the wild have been reported to date.
Mitigation Recommendations
Users should upgrade affected Apache Camel PQC versions to 4.20.0 or later, or to 4.18.2 if using the 4.18.x LTS stream, as these versions replace the vulnerable deserialization mechanism with secure Base64 JSON encoding of keys. Patch status is not explicitly stated but the vendor advisory recommends upgrading to these fixed versions. Until upgraded, restrict write access to the key directory to trusted users only to prevent exploitation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-08T16:40:29.330Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef291bba26a39fba10e179
Added to database: 4/27/2026, 9:15:07 AM
Last enriched: 5/5/2026, 2:42:10 AM
Last updated: 6/12/2026, 5:20:03 AM
Views: 53
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.