Deserialization Vulnerability in Apache Camel's File-Based Key Manager
CVE-2026-40048

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
27 April 2026

What is CVE-2026-40048?

The FileBasedKeyLifecycleManager class in Apache Camel allows deserialization of <keyId>.key files using java.io.ObjectInputStream without implementing ObjectInputFilter or restricting class loading. This flaw can lead to arbitrary code execution due to unsanitized deserialization methods being applied, exposing the application to significant risks. An attacker with write access to the key directory can exploit this vulnerability, using methods like path traversal or filesystem permission misconfigurations to introduce malicious serialized objects. To mitigate this issue, it is essential to upgrade to Apache Camel version 4.20.0, which addresses the vulnerability by adopting a secure storage approach utilizing PKCS#8 and X.509 standards.

Affected Version(s)

Apache Camel PQC 4.19.0 < 4.20.0

Apache Camel PQC 4.18.0 < 4.18.2

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Cosentino from ASF
Venkatraman Kumar from Securin
.