CVE-2026-43867

Apache · Camel

A deserialization vulnerability in the Apache Camel PQC component allows attackers with write access to AWS Secrets Manager to execute arbitrary code via crafted serialized objects.

Executive summary

A critical deserialization vulnerability in Apache Camel’s PQC component could allow an attacker with write access to AWS Secrets Manager to achieve remote code execution.

Vulnerability

The issue exists in the camel-pqc component, which uses java.io.ObjectInputStream to deserialize key metadata without proper filtering. An attacker capable of modifying secret values in AWS Secrets Manager can inject a malicious serialized object, leading to code execution upon deserialization.

Business impact

This flaw carries a CVSS score of 9.8, indicating the highest level of severity. Successful exploitation results in a total compromise of the application context, potentially allowing the attacker to gain full control over the server, exfiltrate data, or pivot into sensitive cloud infrastructure.

Remediation

Immediate Action: Update Apache Camel to version 4.21.0 or the 4.18.3 LTS release immediately.

Proactive Monitoring: Audit IAM policies to ensure the principle of least privilege is applied to AWS Secrets Manager. Monitor for unauthorized PutSecretValue actions in CloudTrail.

Compensating Controls: Restrict write access to the specific secrets used by the camel-pqc component to only the necessary application identities, and isolate PQC key material from less-trusted data sources.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The risk of remote code execution requires immediate attention. Beyond patching, administrators must enforce strict IAM controls over secret management to prevent the potential for object injection.