CVE-2026-43867
Summary
by MITRE • 07/06/2026
Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component.
The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads that metadata back from the configured AWS Secrets Manager secret by Base64-decoding the stored value and deserializing it with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. A principal who can write to the AWS Secrets Manager secret that holds this metadata (requiring secretsmanager:PutSecretValue on that secret) could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys. This is the same underlying defect, in the same code path and remediated by the same fix, as CVE-2026-46590, which was reported independently and additionally covers the HashiCorp Vault and file-based sibling managers; both are incomplete-remediation follow-ons to CVE-2026-40048 (CAMEL-23200). This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, restrict write access to the AWS Secrets Manager secret that holds the camel-pqc key metadata so that only the application’s own identity holds secretsmanager:PutSecretValue on it (least-privilege IAM), and keep the PQC key material in a secret separate from any data that less-trusted principals can write.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability described represents a critical deserialization flaw in Apache Camel's PQC component that operates under the Common Weakness Enumeration framework as CWE-502, specifically targeting insecure deserialization of untrusted data. This weakness occurs when applications deserialize objects from untrusted sources without proper validation mechanisms, creating potential attack vectors for remote code execution. The issue manifests within the camel-pqc component where post-quantum key metadata is persisted through pluggable KeyLifecycleManager implementations, with the AwsSecretsManagerKeyLifecycleManager serving as a primary implementation that handles metadata storage and retrieval from AWS Secrets Manager.
The technical flaw resides in the deserializeMetadata() method of AwsSecretsManagerKeyLifecycleManager which performs Base64 decoding followed by direct deserialization using java.io.ObjectInputStream.readObject() without any ObjectInputFilter or class allow-list mechanisms. This approach allows attackers to craft malicious serialized objects that, when processed during normal key-lifecycle operations, execute arbitrary code within the application's security context. The vulnerability's design flaw is particularly dangerous because the type casting to KeyMetadata occurs after readObject() returns, meaning any side effects from malicious object deserialization execute before the type validation check occurs. This timing allows attackers to manipulate the deserialization process and potentially exploit the application in ways that bypass normal security boundaries.
The operational impact of this vulnerability extends across multiple attack vectors within the MITRE ATT&CK framework, specifically mapping to techniques such as T1059.007 (Command and Scripting Interpreter: Python) and T1566.002 (Phishing: Spearphishing Attachment) where attackers could leverage compromised key management systems to achieve persistent code execution. The vulnerability affects Apache Camel versions from 4.18.0 through 4.18.2 and from 4.19.0 through 4.20.0, representing a significant security regression that has been addressed through version 4.21.0. Organizations utilizing the 4.18.x LTS stream should specifically upgrade to 4.18.3 as a minimal patch release to address this issue.
Security remediation efforts must focus on implementing proper object deserialization safeguards that align with industry best practices and security standards. The recommended fix involves upgrading to Apache Camel version 4.21.0 or the appropriate LTS patch version 4.18.3, which incorporates proper input filtering mechanisms and class validation controls. Organizations unable to immediately upgrade should implement least-privilege IAM policies restricting write access to AWS Secrets Manager secrets containing key metadata, ensuring that only the application's own identity holds secretsmanager:PutSecretValue permissions. Additionally, security teams should separate PQC key material from any data that less-trusted principals can modify, implementing network segmentation and privilege separation controls to minimize potential impact if other system components are compromised. This vulnerability demonstrates the critical importance of validating untrusted input during deserialization processes and highlights how seemingly routine operations like key management can become attack surfaces when proper security controls are not implemented.