Deserialization Vulnerability in Apache Camel's File-Based Key Manager
CVE-2026-40048

7.8HIGH

Key Information:

Vendor: Apache
Status: Apache Camel Pqc
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-40048?

The FileBasedKeyLifecycleManager class in Apache Camel allows deserialization of <keyId>.key files using java.io.ObjectInputStream without implementing ObjectInputFilter or restricting class loading. This flaw can lead to arbitrary code execution due to unsanitized deserialization methods being applied, exposing the application to significant risks. An attacker with write access to the key directory can exploit this vulnerability, using methods like path traversal or filesystem permission misconfigurations to introduce malicious serialized objects. To mitigate this issue, it is essential to upgrade to Apache Camel version 4.20.0, which addresses the vulnerability by adopting a secure storage approach utilizing PKCS#8 and X.509 standards.

Affected Version(s)

Apache Camel PQC 4.19.0 < 4.20.0

Apache Camel PQC 4.18.0 < 4.18.2

References

https://camel.apache.org/security/CVE-2026-40048.html

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 8, 2026

Credit

Andrea Cosentino from ASF

Venkatraman Kumar from Securin

CVE-2026-40048 Data

JSON