CVE-2026-43867
Received Received - Intake

Deserialization of Untrusted Data in Apache Camel PQC Component

Vulnerability report for CVE-2026-43867, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads that metadata back from the configured AWS Secrets Manager secret by Base64-decoding the stored value and deserializing it with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. A principal who can write to the AWS Secrets Manager secret that holds this metadata (requiring secretsmanager:PutSecretValue on that secret) could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is the same underlying defect, in the same code path and remediated by the same fix, as CVE-2026-46590, which was reported independently and additionally covers the HashiCorp Vault and file-based sibling managers; both are incomplete-remediation follow-ons to CVE-2026-40048 (CAMEL-23200). This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the AWS Secrets Manager secret that holds the camel-pqc key metadata so that only the application’s own identity holds secretsmanager:PutSecretValue on it (least-privilege IAM), and keep the PQC key material in a secret separate from any data that less-trusted principals can write.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.21.0
apache camel 4.18.3

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-43867 is a medium-severity security vulnerability in the Apache Camel camel-pqc component. It involves insecure deserialization of key metadata stored in AWS Secrets Manager. Specifically, the AwsSecretsManagerKeyLifecycleManager reads serialized key metadata using java.io.ObjectInputStream.readObject() without applying any ObjectInputFilter or class allow-list. This means that if an attacker has write access to the AWS Secrets Manager secret (requiring secretsmanager:PutSecretValue permission), they can store a crafted serialized object that will be deserialized during normal key lifecycle operations. Because the deserialization happens before type checks, this can lead to arbitrary code execution within the application managing the keys.

The vulnerability affects Apache Camel versions from 4.18.0 before 4.18.3 and from 4.19.0 before 4.21.0. The issue is related to CWE-502 (Deserialization of Untrusted Data) and is similar to CVE-2026-46590. The fix involves upgrading to versions 4.21.0 or 4.18.3, which introduce a safer deserialization approach using JSON and an allow-list ObjectInputFilter.

Impact Analysis

If exploited, this vulnerability can lead to arbitrary code execution within the context of the application that manages the keys. This means an attacker with write access to the AWS Secrets Manager secret could execute malicious code, potentially compromising the security and integrity of the application and its environment.

The impact depends on the attacker's ability to write to the AWS Secrets Manager secret holding the key metadata. If such access is granted, the attacker can craft serialized objects that trigger harmful side effects during deserialization, leading to unauthorized actions or control over the application.

To mitigate the impact, users should upgrade to fixed versions or restrict write permissions to the secret to only the application's own identity, following the principle of least privilege.

Mitigation Strategies

To mitigate this vulnerability immediately, users should upgrade Apache Camel to version 4.21.0 or 4.18.3 if they are on the 4.18.x LTS release stream, as these versions include the fix.

If upgrading immediately is not possible, restrict write access to the AWS Secrets Manager secret that holds the camel-pqc key metadata. Only the application’s own identity should have the secretsmanager:PutSecretValue permission on that secret, following the principle of least privilege.

Additionally, keep the PQC key material in a secret separate from any data that less-trusted principals can write to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-43867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart