CVE-2026-40048

Description

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

• Vendor advisory https://camel.apache.org/security/CVE-2026-40048.html
• Reference http://www.openwall.com/lists/oss-security/2026/04/26/6
• Distro https://access.redhat.com/security/cve/CVE-2026-40048
• Distro https://bugzilla.redhat.com/show_bug.cgi?id=2463176
• Distro https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40048.json