CVE-2026-46590

Apache Software Foundation · Apache Camel

The Apache Camel PQC component is susceptible to a Deserialization of Untrusted Data vulnerability, potentially allowing remote code execution if exploited.

Executive summary

A critical deserialization vulnerability in the Apache Camel PQC component could allow an authenticated attacker to execute arbitrary code on affected systems.

Vulnerability

This vulnerability involves the insecure deserialization of untrusted data (CWE-502) within the PQC component. An authenticated attacker can leverage this flaw to trigger unauthorized code execution.

Business impact

Successful exploitation of this vulnerability can result in a full system compromise, including the loss of confidentiality, integrity, and availability of the host environment. Given the high CVSS score of 8.8, this vulnerability represents an urgent threat to any infrastructure relying on Apache Camel for data processing.

Remediation

Immediate Action: Upgrade Apache Camel to version 4.18.3 or 4.21.0, or the latest stable release provided by the vendor.

Proactive Monitoring: Review application access logs for unusual serialization patterns or unexpected inbound data streams that may indicate exploitation attempts.

Compensating Controls: Restrict network access to the affected service to trusted internal sources only, and utilize runtime security tools to monitor for spawned child processes.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations must prioritize upgrading the Apache Camel framework to the specified non-vulnerable versions. Given the potential for remote code execution, this update should be treated as a high-priority maintenance task.