-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - --- title: "Apache Camel Security Advisory - CVE-2026-40048" date: 2026-04-24T09:00:00+02:00 url: /security/CVE-2026-40048.html draft: false type: security-advisory cve: CVE-2026-40048 severity: HIGH summary: "Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager" description: "The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application." mitigation: "Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2." credit: "This issue was discovered by Andrea Cosentino from Apache Software Foundation and Venkatraman Kumar from Securin" affected: From 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. fixed: 4.18.2 and 4.20.0 - --- The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23200 refers to the various commits that resolved the issue, and have more details. -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmnuCHAACgkQ406fOAL/ QQAOoAf/U6UyLfNOSuQhe6gGCaxmUuAmn6NxnR2TkE1sefPevHY6qWGmBNl2Lh6w t7DMd1seolajBHK3OkQHDJ2m/+Mfj3GzMYZHbafutf12g8JSWhyeGQl0cxY925BO iaH4JzlQFDusGTzrv9ZgXMsm1UsLXAovgPH+6k9bAdyajSTts1Sm1KkPKUMlK+Kn bxcIv7rofq7rxKl46gW89FZB+XzNrCg5Rl4+JqohkETu758E3GsoB4lnHBv/8XrQ Dcvkxztb0p5iQ1W+oafIbg1bbLk753yS3azP9boC214BMh6eG1mw+D0B7BlCoNUy U47bn2J7X6lmxdWZcgKbg6bfIsSEkA== =urUO -----END PGP SIGNATURE-----