Deserialization Vulnerability in Apache Camel PQC Component
CVE-2026-43867

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-43867?

The Apache Camel PQC Component is susceptible to a vulnerability allowing deserialization of untrusted data. This occurs when the AwsSecretsManagerKeyLifecycleManager reads post-quantum key metadata from AWS Secrets Manager without adequate validation measures, enabling potential code execution within the application context. Affected versions include Apache Camel from 4.18.0 before 4.18.3 and from 4.19.0 before 4.21.0. It is advised that users upgrade to version 4.21.0 for a fix or restrict write access to relevant secrets as a temporary mitigation.

Affected Version(s)

Apache Camel 4.18.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Venkatraman Kumar from Securin
Andrea Cosentino
.