Deserialization Vulnerability in Apache Camel PQC Component
CVE-2026-46590

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46590?

The deserialization vulnerability in Apache Camel's PQC component allows malicious actors to exploit untrusted data during key lifecycle operations. This vulnerability arises from the use of raw object deserialization without proper input filtering, particularly affecting pluggable KeyLifecycleManager implementations such as HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager. Attackers with write access to the secret backend could craft and store a serialized object, which would be deserialized during normal operations, potentially leading to unauthorized code execution. This issue highlights the importance of secure coding practices, particularly in managing sensitive key metadata.

Affected Version(s)

Apache Camel 4.18.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from Paypal
Andrea Cosentino
.