PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46590 Apache CVE debrief

CVE-2026-46590 is a Deserialization of Untrusted Data vulnerability in the Apache Camel PQC component. The camel-pqc component persists post-quantum key metadata through pluggable KeyLifecycleManager implementations. HashicorpVaultKeyLifecycleManager and AwsSecretsManagerKeyLifecycleManager read that metadata back from the configured secret backend by deserializing a Base64-wrapped value with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a crafted object run before the type check. The same unfiltered legacy-migration read also remained in FileBasedKeyLifecycleManager. A principal who can write to the operator-controlled backend that holds these values could store a crafted serialized object that is deserialized during normal key-lifecycle operations, potentially leading to code execution in the context of the application that manages the keys.

Vendor
Apache
Product
Camel
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache Camel versions from 4.18.0 before 4.18.3, and from 4.19.0 before 4.21.0 should be aware of this vulnerability. System administrators and security teams responsible for Apache Camel deployments should assess the risk and apply necessary mitigations.

Technical summary

The Apache Camel PQC component is vulnerable to Deserialization of Untrusted Data. The vulnerability arises from the deserialization of post-quantum key metadata without proper filtering or validation. This can allow an attacker with write access to the backend storing these values to inject malicious serialized objects, potentially leading to code execution. The vulnerability affects Apache Camel versions from 4.18.0 before 4.18.3 and from 4.19.0 before 4.21.0. Users of these versions should be aware of this vulnerability and take necessary mitigations.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Apache Camel version 4.21.0 or later
  • Restrict write access to the key backend to only the application's own identity
  • Keep the PQC key material in a backend separate from any data that less-trusted principals can write
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-06T09:16:37.147Z and was last modified on 2026-07-08T15:05:34.147Z. The NVD entry is currently Analyzed. The vulnerability was reported by an external researcher and is being tracked by the Apache Camel security team. There are no known instances of this vulnerability being exploited in the wild.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.147Z and has not been modified since then. The NVD entry is currently Analyzed.