Deserialization Vulnerability in Apache Camel PQC Component
CVE-2026-43867
Currently unrated
What is CVE-2026-43867?
The Apache Camel PQC Component is susceptible to a vulnerability allowing deserialization of untrusted data. This occurs when the AwsSecretsManagerKeyLifecycleManager reads post-quantum key metadata from AWS Secrets Manager without adequate validation measures, enabling potential code execution within the application context. Affected versions include Apache Camel from 4.18.0 before 4.18.3 and from 4.19.0 before 4.21.0. It is advised that users upgrade to version 4.21.0 for a fix or restrict write access to relevant secrets as a temporary mitigation.
Affected Version(s)
Apache Camel 4.18.0 < 4.18.3
Apache Camel 4.19.0 < 4.21.0