Apache Camel Camel-PQC Unsafe Deserialization Enables Code Execution
Apache disclosed CVE-2026-40048, an unsafe deserialization flaw in the Camel-PQC component of Apache Camel that can lead to arbitrary code execution. The vulnerability is in FileBasedKeyLifecycleManager, which deserializes <keyId>.key files with java.io.ObjectInputStream without ObjectInputFilter or class-loading restrictions, allowing malicious readObject() behavior to run before the data is cast to java.security.KeyPair. An attacker who can place a crafted file in the configured key directory—through path traversal, weak filesystem permissions, a compromised key provisioning pipeline, or a symlink attack—could execute code in the context of the Camel application.
The issue affects org.apache.camel:camel-pqc versions 4.19.0 before 4.20.0 and 4.18.0 before 4.18.2. Apache fixed the flaw by replacing ObjectInputStream-based key and metadata storage with PKCS#8 and X.509 SubjectPublicKeyInfo Base64 JSON encoding, and advised users to upgrade to 4.20.0 or 4.18.2 on the 4.18.x LTS line. Apache credited Andrea Cosentino of the Apache Software Foundation and Venkatraman Kumar of Securin with discovering the vulnerability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
oss-sec republishes Apache Camel CVE-2026-40048 disclosure
An oss-sec post summarized CVE-2026-40048, describing the unsafe deserialization issue in Camel-PQC's FileBasedKeyLifecycleManager and reiterating that upgrading to Camel 4.20.0 or 4.18.2 mitigates the risk. The post did not introduce materially new incident details beyond Apache's advisory.
Apache publishes advisory for CVE-2026-40048
Apache disclosed CVE-2026-40048 as a high-severity unsafe deserialization vulnerability in Camel-PQC that could allow arbitrary code execution if an attacker can write crafted serialized objects into the configured key directory. The advisory credited Andrea Cosentino of the Apache Software Foundation and Venkatraman Kumar of Securin for discovering the issue and urged users to upgrade.
Apache fixes CVE-2026-40048 in Camel-PQC releases
Apache addressed an unsafe deserialization flaw in Camel-PQC's FileBasedKeyLifecycleManager by replacing ObjectInputStream-based key storage with PKCS#8 and X.509 SubjectPublicKeyInfo Base64 JSON encoding. The fix was released in Apache Camel versions 4.20.0 and 4.18.2, affecting vulnerable versions 4.19.0 before 4.20.0 and 4.18.0 before 4.18.2.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
oss-sec: CVE-2026-40048: Apache Camel: Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager
seclists.org
Open sourceGitHub - oscerd/CVE-2026-25747: CVE-2026-25747 - Camel LevelDB Deserialization Vulnerability · GitHub
github.com
Open sourceApache Camel Security Advisory - CVE-2026-40048 - Apache Camel
camel.apache.org
Open sourceApache Camel Security Advisory - CVE-2026-25747 - Apache Camel
camel.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Camel Deserialization Flaws Expose JMS, Mina, and Infinispan Deployments to RCE
Apache disclosed three unsafe deserialization vulnerabilities in **Apache Camel** that can lead to remote code execution in deployments using `camel-mina`, JMS-related components, and `camel-infinispan`. **CVE-2026-40473** affects `camel-mina`, where `MinaConverter.toObjectInput()` wraps network-supplied TCP or UDP data in `java.io.ObjectInputStream` without `ObjectInputFilter` or class-loading restrictions; a crafted serialized Java object can execute during `readObject()`. **CVE-2026-40860** affects `camel-jms`, `camel-sjms`, `camel-sjms2`, and `camel-amqp`, where Camel deserializes JMS `ObjectMessage` payloads through `ObjectMessage.getObject()` with the default `mapJmsMessage` option enabled and without filtering or allow/deny lists, allowing an attacker who can publish to a consumed queue or topic to trigger code execution if a gadget chain is present. Apache also disclosed **CVE-2026-40858** in `camel-infinispan`, where the ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using `java.io.ObjectInputStream` without an input filter; an attacker able to write to the cache can inject a malicious serialized object that executes during normal `get` or `recover` operations. The affected versions span multiple Camel release lines, including `3.0.0` and later for the JMS issue, `3.0.0` and later for `camel-mina`, and `4.0.0` and later for `camel-infinispan`, with fixes released in **4.20.0** and backported to supported streams including **4.14.6/4.14.7** and **4.18.2**. Apache tracks the flaws as `CAMEL-23319`, `CAMEL-23321`, and `CAMEL-23322`, with reports credited to researchers from **Securin** and **Innora Pte. Ltd.**
Apr 27, 2026
Apache Camel flaws expose mail, CoAP, JMS, and HTTP routes to RCE and auth bypass
Apache disclosed four vulnerabilities in **Apache Camel** affecting message handling and request protection across multiple components. The most severe issues, **`CVE-2026-33453`** and **`CVE-2026-33454`**, allow attackers to inject Camel internal headers through untrusted inputs that are copied into the Exchange without proper inbound filtering. In `camel-coap`, a single unauthenticated UDP packet can place arbitrary query parameters into Exchange headers, enabling pre-authentication remote code execution when routes forward data to header-sensitive components such as `camel-exec`, `camel-sql`, `camel-bean`, `camel-file`, or template processors. In `camel-mail`, emails received over IMAP or POP3 can carry crafted MIME headers with the `Camel` prefix that reach downstream components and similarly influence execution, making remote code execution possible in vulnerable deployments.
Apr 27, 2026
Apache Camel K Authorization Bypass Enables Cross-Namespace Build Attacks
Apache disclosed **CVE-2026-45760**, an important-severity vulnerability in **Apache Camel K** that allows an authenticated user in one Kubernetes namespace to create a malicious `Build` resource that influences pod generation in another namespace. The flaw stems from an authorization bypass tied to a user-controlled key and an externally controlled reference to a resource in another sphere, enabling a cross-namespace **Build Deputy** attack that can reach even the operator namespace and weaken namespace isolation in multi-tenant clusters. The issue affects Apache Camel K versions **2.0.0 through before 2.8.1**, **2.9.0 through before 2.9.2**, and **2.10.0 through before 2.10.1**. Apache released fixes in **2.8.1**, **2.9.2**, and **2.10.1**, and urged administrators to upgrade immediately because successful exploitation could open a path to broader Kubernetes cluster compromise. The vulnerability was reported by **@j311yl0v3u** and **@b0b0haha**.
May 24, 2026