CVE-2026-43867
Apache · Camel
A deserialization vulnerability in the Apache Camel PQC component allows attackers with write access to AWS Secrets Manager to execute arbitrary code via crafted serialized objects.
Executive summary
A critical deserialization vulnerability in Apache Camel’s PQC component could allow an attacker with write access to AWS Secrets Manager to achieve remote code execution.
Vulnerability
The issue exists in the camel-pqc component, which uses java.io.ObjectInputStream to deserialize key metadata without proper filtering. An attacker capable of modifying secret values in AWS Secrets Manager can inject a malicious serialized object, leading to code execution upon deserialization.
Business impact
This flaw carries a CVSS score of 9.8, indicating the highest level of severity. Successful exploitation results in a total compromise of the application context, potentially allowing the attacker to gain full control over the server, exfiltrate data, or pivot into sensitive cloud infrastructure.
Remediation
Immediate Action: Update Apache Camel to version 4.21.0 or the 4.18.3 LTS release immediately.
Proactive Monitoring: Audit IAM policies to ensure the principle of least privilege is applied to AWS Secrets Manager. Monitor for unauthorized PutSecretValue actions in CloudTrail.
Compensating Controls: Restrict write access to the specific secrets used by the camel-pqc component to only the necessary application identities, and isolate PQC key material from less-trusted data sources.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The risk of remote code execution requires immediate attention. Beyond patching, administrators must enforce strict IAM controls over secret management to prevent the potential for object injection.