What this actually is.
Technical background, root cause, and affected surface.
The FileBasedKeyLifecycleManager in Apache Camel's camel-pqc module reads .key files from a configured directory and deserializes them using java.io.ObjectInputStream without applying ObjectInputFilter or class-loading restrictions. The cast to java.security.KeyPair occurs after readObject() returns, meaning gadget chain side-effects execute before any type rejection can occur.
- Vendor
- Apache
- Product
- Apache Camel
- Severity
- High
- CVSS Score
- 7.8
- Status
- Published
- CWE
- CWE-502: Deserialization of Untrusted Data
- Vector
- CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
FileBasedKeyLifecycleManager.java: ObjectInputStream ois = new ObjectInputStream(fis); KeyPair kp = (KeyPair) ois.readObject(); // No ObjectInputFilter applied before readObject()
Root cause: ObjectInputStream used without ObjectInputFilter; type cast occurs post-deserialization allowing gadget chain execution before type check
When does this fire?
All conditions must be true for the exploit to succeed.
Attacker gains write access to the Camel PQC key directory (via path traversal, misconfigured filesystem permissions, compromised key provisioning pipeline, or symlink attack) and places a crafted serialized Java gadget chain as a .key file
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Arbitrary code execution in the context of the Camel application process; potential full host compromise
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Apache Camel 4.20.0 or 4.18.2. The fix replaces ObjectInputStream-based key storage with PKCS#8 / X.509 SubjectPublicKeyInfo Base64 JSON encoding. Restrict write permissions on key directories.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-04-27: CVE published | 2026-04-26: Fix released in Camel 4.20.0 and 4.18.2
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.