Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 91%

CVE-2026-46590: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel

0
High
VulnerabilityCVE-2026-46590cvecve-2026-46590cwe-502
Published: 07/06/2026 (07/06/2026, 08:03:54 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel

Description

Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. The same unfiltered legacy-migration read also remained in FileBasedKeyLifecycleManager (for the stored KeyPair and KeyMetadata). A principal who can write to the operator-controlled backend that holds these values - the HashiCorp Vault KV path, or the AWS Secrets Manager secret (requiring a Vault token or secretsmanager:PutSecretValue) - could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is an incomplete-remediation follow-on to CVE-2026-40048 (CAMEL-23200), which changed FileBasedKeyLifecycleManager to store metadata as JSON / PKCS#8 / X.509 but did not add an ObjectInputFilter, did not cover the Vault and AWS sibling managers, and left FileBasedKeyLifecycleManager's own legacy-migration deserialization unfiltered. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application's own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any data that less-trusted principals can write.

CVSS v3.1

Score 8.8high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected software

Apache Software Foundation/org.apache.camel:camel-pqc
pkg:maven/Apache Software Foundation/org.apache.camel:camel-pqc
Affected versions
>=4.18.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:08:48 UTC

Technical Analysis

The vulnerability in Apache Camel's PQC component involves unsafe deserialization of Base64-encoded serialized Java objects by HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager. These managers deserialize data from secret backends using raw ObjectInputStream.readObject() without applying ObjectInputFilter or class allow-listing, allowing any side effects in the deserialized object to execute before type validation. This can be exploited by an attacker who can write to the secret backend (requiring appropriate permissions) to store crafted serialized objects, potentially leading to arbitrary code execution within the application context. This issue is a follow-up to CVE-2026-40048 and affects Apache Camel versions 4.18.0 up to but not including 4.18.3 and 4.19.0 up to but not including 4.21.0. The vendor recommends upgrading to 4.21.0 or 4.18.3 for LTS users. For those unable to upgrade immediately, restricting write permissions to the secret backends is advised.

Potential Impact

An attacker with write access to the operator-controlled secret backends (HashiCorp Vault KV path or AWS Secrets Manager secret) can store crafted serialized objects that are deserialized without filtering, potentially resulting in arbitrary code execution within the application managing the keys. This compromises the confidentiality and integrity of the application environment and may lead to full system compromise depending on the application's privileges.

Mitigation Recommendations

A fix is available: upgrade Apache Camel to version 4.21.0 or, for the 4.18.x LTS stream, to 4.18.3. If immediate upgrade is not feasible, restrict write access to the secret backends so that only the application's own identity can write the camel-pqc secrets. This includes applying least-privilege policies for HashiCorp Vault and AWS Secrets Manager IAM permissions. Additionally, keep PQC key material in a backend separate from any data writable by less-trusted principals.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-05-15T13:23:22.009Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null
Is Cloud Service
true

Threat ID: 6a4b6cac27e9c797192522aa

Added to database: 07/06/2026, 08:51:56 UTC

Last enriched: 07/06/2026, 09:08:48 UTC

Last updated: 07/06/2026, 23:07:57 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses