PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-43867 Apache CVE debrief

CVE-2026-43867 is a Deserialization of Untrusted Data vulnerability in the Apache Camel PQC Component. The vulnerability exists in the camel-pqc component, which stores post-quantum key metadata through pluggable KeyLifecycleManager implementations. Specifically, AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads metadata from the AWS Secrets Manager secret by Base64-decoding and deserializing it with a raw java.io.ObjectInputStream.readObject() without an ObjectInputFilter or class allow-list. This allows a principal with write access to the AWS Secrets Manager secret to store a crafted serialized object that could lead to code execution during normal key-lifecycle operations. The vulnerability affects Apache Camel versions from 4.18.0 before 4.18.3 and from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0 or apply the recommended mitigations.

Vendor
Apache
Product
Camel
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Apache Camel from version 4.18.0 before 4.18.3, and from 4.19.0 before 4.21.0, should be aware of this vulnerability. Operators managing Apache Camel deployments, platform administrators, vulnerability management teams, and security teams should review the vulnerability details and apply mitigations according to vendor guidance. Affected deployments may require immediate attention to prevent potential code execution.

Technical summary

A Deserialization of Untrusted Data vulnerability exists in the Apache Camel PQC Component. The camel-pqc component stores post-quantum key metadata through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads this metadata from the AWS Secrets Manager secret by Base64-decoding and deserializing it with a raw java.io.ObjectInputStream.readObject() without an ObjectInputFilter or class allow-list. A principal with write access to the AWS Secrets Manager secret could store a crafted serialized object that could lead to code execution during normal key-lifecycle operations.

Defensive priority

High priority should be given to upgrading to version 4.21.0 or applying the recommended mitigations.

Recommended defensive actions

  • Upgrade to Apache Camel version 4.21.0
  • If on the 4.18.x LTS releases stream, upgrade to 4.18.3
  • Restrict write access to the AWS Secrets Manager secret holding camel-pqc key metadata to the application's own identity
  • Keep PQC key material in a separate secret from data that less-trusted principals can write
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and affected versions. The Apache Camel security page provides mitigation and vendor advisory information. Evidence is limited to public sources and may not reflect the full scope or impact of this vulnerability. Defenders should verify affected deployments, review official advisories, and apply mitigations according to vendor guidance. Additional information may be available through Apache Camel's security advisories or community forums.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:36.057Z and has not been modified since then. The NVD entry is currently Analyzed.