CVE-2026-40048

High

Published: 27 April 2026

Published

27 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 20.1th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40048 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Camel. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization vulnerability by requiring timely application of vendor patches upgrading Apache Camel to versions using safe PKCS#8/X.509 key encoding.

AC-6 Least Privilege good match

prevent

Enforces least privilege on the key directory to prevent low-privileged attackers from writing malicious serialized objects via path traversal, misconfigurations, or symlink attacks.

SC-12 Cryptographic Key Establishment and Management partial match

prevent

Establishes secure cryptographic key management processes that mitigate risks from unsafe deserialization in key lifecycle operations by mandating protected key storage and handling.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Unsafe Java deserialization without ObjectInputFilter enables arbitrary code execution when a malicious object is placed in the key directory (via write access or path traversal), allowing escalation from low-privileged local access to full application control.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side…

effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.

Deeper analysisAI

CVE-2026-40048 is a deserialization vulnerability in the Camel-PQC FileBasedKeyLifecycleManager class of Apache Camel. This class deserializes the contents of `<keyId>.key` files in the configured key directory using `java.io.ObjectInputStream` without applying any `ObjectInputFilter` or class-loading restrictions. The cast to `java.security.KeyPair` occurs only after `readObject()` has returned, allowing side effects from deserialized objects to execute beforehand. The vulnerability affects Apache Camel versions from 4.19.0 before 4.20.0 and from 4.18.0 before 4.18.2.

An attacker who can write to the key directory—via path traversal, misconfigured filesystem permissions, a compromised key provisioning pipeline, or symlink attacks—can place a crafted serialized Java object there. When the application performs normal key lifecycle operations, deserialization of the malicious object results in arbitrary code execution in the context of the Camel application. The issue has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-502 (Deserialization of Untrusted Data).

Apache Camel advisories recommend upgrading to version 4.20.0, which addresses the issue by replacing `java.io.ObjectInputStream`-based key and metadata storage with standard PKCS#8 (private key) and X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. Users on the 4.18.x LTS release stream should upgrade to 4.18.2. Additional details are available in the official advisory at https://camel.apache.org/security/CVE-2026-40048.html and the oss-security mailing list announcement at http://www.openwall.com/lists/oss-security/2026/04/26/6.

Details

CWE(s): CWE-502

Affected Products

apache

camel

4.19.0 · 4.18.0 — 4.18.2

CVEs Like This One

CVE-2026-27172Same product: Apache Camel

CVE-2026-40858Same product: Apache Camel

CVE-2026-40473Same product: Apache Camel

CVE-2026-25747Same product: Apache Camel

CVE-2026-40860Same product: Apache Camel

CVE-2026-33454Same product: Apache Camel

CVE-2026-40022Same product: Apache Camel

CVE-2026-23552Same product: Apache Camel

CVE-2025-27636Same product: Apache Camel

CVE-2026-40453Same product: Apache Camel

References

https://camel.apache.org/security/CVE-2026-40048.html
Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2026/04/26/6
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108