CVE-2026-40048
Insecure Java Deserialization in Apache Camel Key Manager Enables RCE
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | camel | From 4.18.0 (inc) to 4.18.2 (exc) |
| apache | camel | 4.19.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Apache Camel's Camel-PQC component, specifically in the FileBasedKeyLifecycleManager class. This class deserializes `<keyId>.key` files from a configured key directory using `java.io.ObjectInputStream` without applying any ObjectInputFilter or class-loading restrictions.
The deserialization process casts the deserialized object to `java.security.KeyPair` only after the `readObject()` method returns, which means any side effects in the deserialized object's `readObject()` method execute before the type check.
An attacker who can write to the key directoryβthrough methods such as path traversal, misconfigured filesystem permissions, compromised key provisioning pipelines, or symlink attacksβcan place a crafted serialized Java object. When this object is deserialized during normal key lifecycle operations, it can lead to arbitrary code execution within the application's context.
The issue affects Apache Camel versions from 4.19.0 before 4.20.0 and from 4.18.0 before 4.18.2. It is fixed by replacing the insecure deserialization mechanism with standard Base64-encoded JSON formats using PKCS#8 for private keys and X.509 SubjectPublicKeyInfo for public keys.
How can this vulnerability impact me? :
This vulnerability can allow an attacker who has write access to the key directory to execute arbitrary code within the context of the Apache Camel application.
Such arbitrary code execution can lead to full compromise of the application, potentially allowing the attacker to manipulate application behavior, access sensitive data, or disrupt services.
The attack vectors include path traversal, misconfigured filesystem permissions, compromised key provisioning pipelines, or symlink attacks that enable placing malicious serialized objects in the key directory.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users should upgrade Apache Camel to version 4.20.0 or later.
For users on the 4.18.x LTS release stream, upgrading to version 4.18.2 is recommended.
These versions fix the issue by replacing the insecure java.io.ObjectInputStream-based key and metadata storage with standard Base64-encoded JSON formats using PKCS#8 for private keys and X.509 SubjectPublicKeyInfo for public keys.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary code execution in the context of the Apache Camel application if an attacker can write to the key directory. This can lead to unauthorized access or manipulation of cryptographic keys used by the application.
Such unauthorized access or compromise of cryptographic keys can undermine the confidentiality and integrity of sensitive data, potentially violating data protection requirements under standards like GDPR and HIPAA.
Therefore, this vulnerability poses a risk to compliance with common security and privacy regulations that mandate protection of sensitive data and cryptographic materials.