Description
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.

This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.

Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
Published: 2026-04-27
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises when the Camel‑PQC FileBasedKeyLifecycleManager deserializes the contents of key files using java.io.ObjectInputStream without any validation or filter. A malicious attacker can place a crafted serialized object in the key directory, and because the readObject() side effects execute before the type check, arbitrary code runs within the application’s process. The effect is the execution of attacker‑supplied code with the same privileges as the running Camel application, allowing compromise of the application and potentially the host system.

Affected Systems

Apache Camel PQC versions 4.18.0 through 4.18.1 and 4.19.0 through 4.19.x are affected. The problem is resolved in 4.18.2 and 4.20.0 and later releases.

Risk and Exploitability

The CVSS score of 7.8 marks this flaw as high severity, and it falls under CWE‑502 (Insecure Deserialization). The EPSS score of <1% indicates that, as of now, real‑world exploitation is unlikely, and the flaw is not listed in CISA’s KEV catalog. However, the attack vector requires an attacker to write to the key directory—from path traversal, misconfigured filesystem permissions, a compromised provisioning pipeline, or a symlink attack—which is feasible in poorly secured deployments. If such write access is achieved, arbitrary code execution follows immediately during normal key lifecycle operations.

Generated by OpenCVE AI on April 28, 2026 at 13:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel PQC to version 4.20.0; for users on the 4.18.x LTS stream, upgrade to 4.18.2.
  • Restrict write permissions on the key directory so that only trusted processes or users can write key files, reducing the ability to inject malicious objects.
  • If an immediate upgrade is not possible, reconfigure the application to use the PKCS#8 / X.509 Base64 JSON storage format or otherwise disable the FileBasedKeyLifecycleManager deserialization path until the patch is applied.

Generated by OpenCVE AI on April 28, 2026 at 13:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v3vg-332r-mw99 Camel-PQC Vulnerable to Deserialization of Untrusted Data
History

Wed, 06 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*

Tue, 28 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
Title Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager
Weaknesses CWE-502
References

Subscriptions

Apache Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-29T03:55:33.198Z

Reserved: 2026-04-08T16:40:29.330Z

Link: CVE-2026-40048

cve-icon Vulnrichment

Updated: 2026-04-27T08:55:14.226Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T09:16:01.287

Modified: 2026-04-28T19:43:29.363

Link: CVE-2026-40048

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-27T07:53:54Z

Links: CVE-2026-40048 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T13:15:31Z

Weaknesses