CVE-2026-46590: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. The same unfiltered legacy-migration read also remained in FileBasedKeyLifecycleManager (for the stored KeyPair and KeyMetadata). A principal who can write to the operator-controlled backend that holds these values - the HashiCorp Vault KV path, or the AWS Secrets Manager secret (requiring a Vault token or secretsmanager:PutSecretValue) - could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is an incomplete-remediation follow-on to CVE-2026-40048 (CAMEL-23200), which changed FileBasedKeyLifecycleManager to store metadata as JSON / PKCS#8 / X.509 but did not add an ObjectInputFilter, did not cover the Vault and AWS sibling managers, and left FileBasedKeyLifecycleManager's own legacy-migration deserialization unfiltered. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application's own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any data that less-trusted principals can write.
AI Analysis
Technical Summary
The vulnerability in Apache Camel's PQC component involves unsafe deserialization of Base64-encoded serialized Java objects by HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager. These managers deserialize data from secret backends using raw ObjectInputStream.readObject() without applying ObjectInputFilter or class allow-listing, allowing any side effects in the deserialized object to execute before type validation. This can be exploited by an attacker who can write to the secret backend (requiring appropriate permissions) to store crafted serialized objects, potentially leading to arbitrary code execution within the application context. This issue is a follow-up to CVE-2026-40048 and affects Apache Camel versions 4.18.0 up to but not including 4.18.3 and 4.19.0 up to but not including 4.21.0. The vendor recommends upgrading to 4.21.0 or 4.18.3 for LTS users. For those unable to upgrade immediately, restricting write permissions to the secret backends is advised.
Potential Impact
An attacker with write access to the operator-controlled secret backends (HashiCorp Vault KV path or AWS Secrets Manager secret) can store crafted serialized objects that are deserialized without filtering, potentially resulting in arbitrary code execution within the application managing the keys. This compromises the confidentiality and integrity of the application environment and may lead to full system compromise depending on the application's privileges.
Mitigation Recommendations
A fix is available: upgrade Apache Camel to version 4.21.0 or, for the 4.18.x LTS stream, to 4.18.3. If immediate upgrade is not feasible, restrict write access to the secret backends so that only the application's own identity can write the camel-pqc secrets. This includes applying least-privilege policies for HashiCorp Vault and AWS Secrets Manager IAM permissions. Additionally, keep PQC key material in a backend separate from any data writable by less-trusted principals.
CVE-2026-46590: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Description
Deserialization of Untrusted Data vulnerability in Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. The same unfiltered legacy-migration read also remained in FileBasedKeyLifecycleManager (for the stored KeyPair and KeyMetadata). A principal who can write to the operator-controlled backend that holds these values - the HashiCorp Vault KV path, or the AWS Secrets Manager secret (requiring a Vault token or secretsmanager:PutSecretValue) - could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is an incomplete-remediation follow-on to CVE-2026-40048 (CAMEL-23200), which changed FileBasedKeyLifecycleManager to store metadata as JSON / PKCS#8 / X.509 but did not add an ObjectInputFilter, did not cover the Vault and AWS sibling managers, and left FileBasedKeyLifecycleManager's own legacy-migration deserialization unfiltered. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the key backend so that only the application's own identity can write the camel-pqc secrets (least-privilege HashiCorp Vault policies and secretsmanager:PutSecretValue IAM), and keep the PQC key material in a backend separate from any data that less-trusted principals can write.
CVSS v3.1
Score 8.8high
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-pqcRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel's PQC component involves unsafe deserialization of Base64-encoded serialized Java objects by HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager. These managers deserialize data from secret backends using raw ObjectInputStream.readObject() without applying ObjectInputFilter or class allow-listing, allowing any side effects in the deserialized object to execute before type validation. This can be exploited by an attacker who can write to the secret backend (requiring appropriate permissions) to store crafted serialized objects, potentially leading to arbitrary code execution within the application context. This issue is a follow-up to CVE-2026-40048 and affects Apache Camel versions 4.18.0 up to but not including 4.18.3 and 4.19.0 up to but not including 4.21.0. The vendor recommends upgrading to 4.21.0 or 4.18.3 for LTS users. For those unable to upgrade immediately, restricting write permissions to the secret backends is advised.
Potential Impact
An attacker with write access to the operator-controlled secret backends (HashiCorp Vault KV path or AWS Secrets Manager secret) can store crafted serialized objects that are deserialized without filtering, potentially resulting in arbitrary code execution within the application managing the keys. This compromises the confidentiality and integrity of the application environment and may lead to full system compromise depending on the application's privileges.
Mitigation Recommendations
A fix is available: upgrade Apache Camel to version 4.21.0 or, for the 4.18.x LTS stream, to 4.18.3. If immediate upgrade is not feasible, restrict write access to the secret backends so that only the application's own identity can write the camel-pqc secrets. This includes applying least-privilege policies for HashiCorp Vault and AWS Secrets Manager IAM permissions. Additionally, keep PQC key material in a backend separate from any data writable by less-trusted principals.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-15T13:23:22.009Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a4b6cac27e9c797192522aa
Added to database: 07/06/2026, 08:51:56 UTC
Last enriched: 07/06/2026, 09:08:48 UTC
Last updated: 07/06/2026, 23:07:57 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.