CVE-2026-40048

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.19.0 through 4.19.x Apache Camel versions 4.18.0 through 4.18.1

Description The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of <keyId>.key files in the configured key directory using java.io.ObjectInputStream without applying an ObjectInputFilter or class-loading restrictions. Because the cast to java.security.KeyPair occurs only after the readObject() function has returned, any side effects within the deserialized object are executed before the type check. An attacker with write access to the key directory—potentially achieved via path traversal, misconfigured filesystem permissions, a compromised key provisioning pipeline, or a symlink attack—can place a crafted serialized Java object to achieve arbitrary code execution within the application context.

Recommendations Upgrade to version 4.20.0. Upgrade to version 4.18.2 for users on the 4.18.x LTS releases stream.