Copyright © 2012 Red Hat, Inc. All rights reserved. Important 2026-04-27T07:53:54 Apache Camel: Apache Camel: Arbitrary code execution via insecure deserialization of crafted key files 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CWE-502

A flaw was found in Apache Camel. The FileBasedKeyLifecycleManager class deserializes key files without proper validation, allowing an attacker who can write to the key directory to place a specially crafted serialized Java object. When this object is deserialized during normal key operations, it can lead to arbitrary code execution within the application. This vulnerability stems from insecure deserialization of untrusted data.

Red Hat build of Apache Camel for Spring Boot 4 Not affected camel-pqc https://www.cve.org/CVERecord?id=CVE-2026-40048 https://nvd.nist.gov/vuln/detail/CVE-2026-40048 http://www.openwall.com/lists/oss-security/2026/04/26/6 https://camel.apache.org/security/CVE-2026-40048.html