SecurinZero Days
    Email Us
    Zero-Day Research/CVE-2026-40048
    ▲ HighCVSS 7.8EPSS 0.00342%

    Camel-PQC: Unsafe Deserialization from FileBasedKeyLifecycleManager

    The Camel-PQC FileBasedKeyLifecycleManager deserializes .key files using ObjectInputStream without ObjectInputFilter or class-loading restrictions. An attacker who can write to the key directory can place a crafted serialized object to achieve arbitrary code execution during normal key lifecycle operations.

    CVE IDCVE-2026-40048
    CVSS v3.17.8 High
    VendorApache
    CWECWE-502: Deserialization of Untrusted Data
    DisclosedApr 27, 2026
    StatusPublished
    All advisories
    • 01Description
    • 02Proof of Concept
    • 03Vulnerable Code
    • 04Trigger Conditions
    • 05Impact
    • 06Remediation
    • 07Timeline
    • 08References
    01/Description

    What this actually is.

    Technical background, root cause, and affected surface.

    The FileBasedKeyLifecycleManager in Apache Camel's camel-pqc module reads .key files from a configured directory and deserializes them using java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair occurs after readObject() returns, meaning gadget chain side-effects execute before any type rejection can occur.

    Vendor
    Apache
    Product
    Apache Camel
    Severity
    High
    CVSS Score
    7.8
    Status
    Published
    CWE
    CWE-502: Deserialization of Untrusted Data
    Vector
    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    02/Proof of Concept

    From one request
    to root shell.

    Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

    7.8CVSS 3.1
    VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    ScopeUnchanged
    ImpactC:H / I:H / A:H
    SeverityHigh
    PoC · Exploitation Steps▲ trigger
    01No public PoC available
    03/Vulnerable Code

    The bug, and the fix.

    FileBasedKeyLifecycleManager.java: ObjectInputStream ois = new ObjectInputStream(fis); KeyPair kp = (KeyPair) ois.readObject(); // No ObjectInputFilter applied before readObject()

    Root cause: ObjectInputStream used without ObjectInputFilter; type cast occurs post-deserialization allowing gadget chain execution before type check

    04/Trigger Conditions

    When does this fire?

    All conditions must be true for the exploit to succeed.

    Attacker gains write access to the Camel PQC key directory (via path traversal, misconfigured filesystem permissions, compromised key provisioning pipeline, or symlink attack) and places a crafted serialized Java gadget chain as a .key file

    05/Impact

    What an attacker does to you.

    Post-exploitation outcomes mapped to CVSS impact metrics.

    Arbitrary code execution in the context of the Camel application process; potential full host compromise

    06/Remediation

    Fix it. In this order.

    A runbook, not a checklist. Sequence matters — assume compromise before you act.

    Upgrade to Apache Camel 4.20.0 or 4.18.2. The fix replaces ObjectInputStream-based key storage with PKCS#8 / X.509 SubjectPublicKeyInfo Base64 JSON encoding. Restrict write permissions on key directories.

    Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2026-40048, contact disclose@securin.io
    07/Disclosure Timeline

    Vendors moved in days.
    Attackers in hours.

    Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

    Vendor notified

    2026-04-27: CVE published | 2026-04-26: Fix released in Camel 4.20.0 and 4.18.2

    Timeline recorded · Disclosure coordinated by Securin

    08/References

    Cite, verify, go deeper.

    Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

    NVD

    NVD — CVE-2026-40048

    nvd.nist.gov/vuln/detail/CVE-2026-40048 →
    SEC

    Securin VI — Full Technical Analysis

    vi.securin.io →
    APACHE

    https://camel.apache.org/security/CVE-2026-40048.html

    https://camel.apache.org/security/CVE-2026-40048.html →

    Let Securin level up your security posture.

    Get a live exposure assessment, threat-actor briefing tailored to your sector, and IoC mapping for your SIEM.

    Browse all advisories
    SecurinSecurinZero Days

    Securin's zero-day research operation combines frontier AI models with a decade of offensive expertise — discovering, validating, and coordinating the disclosure of high-impact vulnerabilities at a scale and speed no human team achieves alone.

    Glossary
    © 2026 Securin Inc · CVE Numbering Authority
    Privacy Policy·Data Processing Addendum