CVE-2026-40048
Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application โ for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack โ can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
| CWE | CWE-502 |
| Vendor | apache software foundation |
| Product | apache camel pqc |
| Published | Apr 27, 2026 |
| Last Updated | Apr 27, 2026 |
Get instant alerts for apache software foundation apache camel pqc
Be the first to know when new unknown vulnerabilities affecting apache software foundation apache camel pqc are published โ delivered to Slack, Telegram or Discord.