CVE-2026-46590
Apache Software Foundation · Apache Camel
The Apache Camel PQC component is susceptible to a Deserialization of Untrusted Data vulnerability, potentially allowing remote code execution if exploited.
Executive summary
A critical deserialization vulnerability in the Apache Camel PQC component could allow an authenticated attacker to execute arbitrary code on affected systems.
Vulnerability
This vulnerability involves the insecure deserialization of untrusted data (CWE-502) within the PQC component. An authenticated attacker can leverage this flaw to trigger unauthorized code execution.
Business impact
Successful exploitation of this vulnerability can result in a full system compromise, including the loss of confidentiality, integrity, and availability of the host environment. Given the high CVSS score of 8.8, this vulnerability represents an urgent threat to any infrastructure relying on Apache Camel for data processing.
Remediation
Immediate Action: Upgrade Apache Camel to version 4.18.3 or 4.21.0, or the latest stable release provided by the vendor.
Proactive Monitoring: Review application access logs for unusual serialization patterns or unexpected inbound data streams that may indicate exploitation attempts.
Compensating Controls: Restrict network access to the affected service to trusted internal sources only, and utilize runtime security tools to monitor for spawned child processes.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Organizations must prioritize upgrading the Apache Camel framework to the specified non-vulnerable versions. Given the potential for remote code execution, this update should be treated as a high-priority maintenance task.