CVE-2026-40048
Received Received - Intake
Insecure Java Deserialization in Apache Camel Key Manager Enables RCE

Publication date: 2026-04-27

Last updated on: 2026-04-28

Assigner: Apache Software Foundation

Description
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application β€” for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack β€” can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40048
EUVD
EUVD-2026-25790
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache camel From 4.18.0 (inc) to 4.18.2 (exc)
apache camel 4.19.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Apache Camel's Camel-PQC component, specifically in the FileBasedKeyLifecycleManager class. This class deserializes `<keyId>.key` files from a configured key directory using `java.io.ObjectInputStream` without applying any ObjectInputFilter or class-loading restrictions.

The deserialization process casts the deserialized object to `java.security.KeyPair` only after the `readObject()` method returns, which means any side effects in the deserialized object's `readObject()` method execute before the type check.

An attacker who can write to the key directoryβ€”through methods such as path traversal, misconfigured filesystem permissions, compromised key provisioning pipelines, or symlink attacksβ€”can place a crafted serialized Java object. When this object is deserialized during normal key lifecycle operations, it can lead to arbitrary code execution within the application's context.

The issue affects Apache Camel versions from 4.19.0 before 4.20.0 and from 4.18.0 before 4.18.2. It is fixed by replacing the insecure deserialization mechanism with standard Base64-encoded JSON formats using PKCS#8 for private keys and X.509 SubjectPublicKeyInfo for public keys.

Impact Analysis

This vulnerability can allow an attacker who has write access to the key directory to execute arbitrary code within the context of the Apache Camel application.

Such arbitrary code execution can lead to full compromise of the application, potentially allowing the attacker to manipulate application behavior, access sensitive data, or disrupt services.

The attack vectors include path traversal, misconfigured filesystem permissions, compromised key provisioning pipelines, or symlink attacks that enable placing malicious serialized objects in the key directory.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Apache Camel to version 4.20.0 or later.

For users on the 4.18.x LTS release stream, upgrading to version 4.18.2 is recommended.

These versions fix the issue by replacing the insecure java.io.ObjectInputStream-based key and metadata storage with standard Base64-encoded JSON formats using PKCS#8 for private keys and X.509 SubjectPublicKeyInfo for public keys.

Compliance Impact

The vulnerability allows arbitrary code execution in the context of the Apache Camel application if an attacker can write to the key directory. This can lead to unauthorized access or manipulation of cryptographic keys used by the application.

Such unauthorized access or compromise of cryptographic keys can undermine the confidentiality and integrity of sensitive data, potentially violating data protection requirements under standards like GDPR and HIPAA.

Therefore, this vulnerability poses a risk to compliance with common security and privacy regulations that mandate protection of sensitive data and cryptographic materials.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40048. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart