{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40048", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-04-08T16:40:29.330Z", "datePublished": "2026-04-27T07:53:54.636Z", "dateUpdated": "2026-04-29T03:55:33.198Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected", "packageName": "org.apache.camel:camel-pqc", "product": "Apache Camel PQC", "vendor": "Apache Software Foundation", "versions": [{"lessThan": "4.20.0", "status": "affected", "version": "4.19.0", "versionType": "semver"}, {"lessThan": "4.18.2", "status": "affected", "version": "4.18.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Andrea Cosentino from ASF"}, {"lang": "en", "type": "finder", "value": "Venkatraman Kumar from Securin"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `&lt;keyId&gt;.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application \u2014 for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack \u2014 can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.</p><p>This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.</p><p>Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.</p>"}], "value": "The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application \u2014 for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack \u2014 can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.\n\nThis issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2."}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T07:53:54.636Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://camel.apache.org/security/CVE-2026-40048.html"}], "source": {"defect": ["CAMEL-23200"], "discovery": "UNKNOWN"}, "title": "Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/26/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T08:55:14.226Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-40048"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T03:55:33.198Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/26/6"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-27T08:55:14.226Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-40048", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T15:10:02.537160Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T15:10:18.307Z"}}], "cna": {"title": "Apache Camel PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager", "source": {"defect": ["CAMEL-23200"], "discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Andrea Cosentino from ASF"}, {"lang": "en", "type": "finder", "value": "Venkatraman Kumar from Securin"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "important"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Camel PQC", "versions": [{"status": "affected", "version": "4.19.0", "lessThan": "4.20.0", "versionType": "semver"}, {"status": "affected", "version": "4.18.0", "lessThan": "4.18.2", "versionType": "semver"}], "packageName": "org.apache.camel:camel-pqc", "collectionURL": "https://repo.maven.apache.org/maven2", "defaultStatus": "unaffected"}], "references": [{"url": "https://camel.apache.org/security/CVE-2026-40048.html", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application \u2014 for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack \u2014 can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.\n\nThis issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.", "supportingMedia": [{"type": "text/html", "value": "<p>The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `&lt;keyId&gt;.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application \u2014 for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack \u2014 can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.</p><p>This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.</p><p>Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502 Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-27T07:53:54.636Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40048", "state": "PUBLISHED", "dateUpdated": "2026-04-29T03:55:33.198Z", "dateReserved": "2026-04-08T16:40:29.330Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-27T07:53:54.636Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*", "matchCriteriaId": "964E4E5F-CDA3-4B7F-BF33-1C6B592FE11D", "versionEndExcluding": "4.18.2", "versionStartIncluding": "4.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*", "matchCriteriaId": "EDA4D206-8808-4D2A-873E-8488DD7E3E16", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application \u2014 for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack \u2014 can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.\n\nThis issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2."}], "id": "CVE-2026-40048", "lastModified": "2026-04-28T19:43:29.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-27T09:16:01.287", "references": [{"source": "security@apache.org", "tags": ["Vendor Advisory"], "url": "https://camel.apache.org/security/CVE-2026-40048.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2026/04/26/6"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Camel: Apache Camel: Arbitrary code execution via insecure deserialization of crafted key files", "id": "2463176", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2463176"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-502", "details": ["A flaw was found in Apache Camel. The FileBasedKeyLifecycleManager class deserializes key files without proper validation, allowing an attacker who can write to the key directory to place a specially crafted serialized Java object. When this object is deserialized during normal key operations, it can lead to arbitrary code execution within the application. This vulnerability stems from insecure deserialization of untrusted data."], "name": "CVE-2026-40048", "package_state": [{"cpe": "cpe:/a:redhat:camel_spring_boot:4", "fix_state": "Not affected", "package_name": "camel-pqc", "product_name": "Red Hat build of Apache Camel for Spring Boot 4"}], "public_date": "2026-04-27T07:53:54Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-40048\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-40048\nhttp://www.openwall.com/lists/oss-security/2026/04/26/6\nhttps://camel.apache.org/security/CVE-2026-40048.html"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.19.0,4.20.0)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.18.0,4.18.2)"}}], "enrichment": {"confidence": 86.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 86.0, "source": "matching"}]}, "original": {"product": "Apache Camel PQC", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "camel", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-28T13:08:57.725219+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Camel PQC to version 4.20.0; for users on the 4.18.x LTS stream, upgrade to 4.18.2.", "Restrict write permissions on the key directory so that only trusted processes or users can write key files, reducing the ability to inject malicious objects.", "If an immediate upgrade is not possible, reconfigure the application to use the PKCS#8 / X.509 Base64 JSON storage format or otherwise disable the FileBasedKeyLifecycleManager deserialization path until the patch is applied."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Apache Camel PQC versions 4.18.0 through 4.18.1 and 4.19.0 through 4.19.x are affected. The problem is resolved in 4.18.2 and 4.20.0 and later releases.", "description_and_impact": "The vulnerability arises when the Camel\u2011PQC FileBasedKeyLifecycleManager deserializes the contents of key files using java.io.ObjectInputStream without any validation or filter. A malicious attacker can place a crafted serialized object in the key directory, and because the readObject() side effects execute before the type check, arbitrary code runs within the application\u2019s process. The effect is the execution of attacker\u2011supplied code with the same privileges as the running Camel application, allowing compromise of the application and potentially the host system.", "risk_and_exploitability": "The CVSS score of 7.8 marks this flaw as high severity, and it falls under CWE\u2011502 (Insecure Deserialization). The EPSS score of <1% indicates that, as of now, real\u2011world exploitation is unlikely, and the flaw is not listed in CISA\u2019s KEV catalog. However, the attack vector requires an attacker to write to the key directory\u2014from path traversal, misconfigured filesystem permissions, a compromised provisioning pipeline, or a symlink attack\u2014which is feasible in poorly secured deployments. If such write access is achieved, arbitrary code execution follows immediately during normal key lifecycle operations."}}}}, "created": "2026-04-28T08:30:13.042206+00:00", "updated": "2026-04-28T13:15:31.881544+00:00", "vendors": ["apache", "apache$PRODUCT$camel"]}