CVE-2026-40048

Published: Apr 27, 2026 Last Modified: Apr 28, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,8
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Attack Vector: local
Attack Complexity: low
Privileges Required: low
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.

This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.

Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0007
Percentile
0,2th
Updated

EPSS Score Trend (Last 4 Days)

502

Deserialization of Untrusted Data

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context
Applicable Platforms
Languages: Java, JavaScript, PHP, Python, Ruby
Technologies: AI/ML, ICS/OT, Not Technology-Specific
Likelihood of Exploit: Medium
View CWE Details
Application

Camel by Apache

Product Information
Vendor Apache
Product Camel
Version Range Affected
From 4.18.0 (inclusive)
To 4.18.2 (exclusive)
cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Camel by Apache

Product Information
Vendor Apache
Product Camel
Version 4.19.0
cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
http://www.openwall.com/lists/oss-security/2026/04/26/6
http://www.openwall.com/lists/oss-security/2026/04/26/6
https://camel.apache.org/security/CVE-2026-40048.html
https://camel.apache.org/security/CVE-2026-40048.html