{"schema_version": "1.6.1", "id": "CVE-2026-40048", "summary": "Unsafe Deserialization from FileBasedKeyLifecycleManager", "details": "The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application — for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack — can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application.\n\nThis issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2.\n\nUsers are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "4.19.0"}, {"fixed": "4.20.0"}]}, {"type": "SEMVER", "events": [{"introduced": "4.18.0"}, {"fixed": "4.18.2"}]}]}], "references": [{"type": "WEB", "url": "https://camel.apache.org/security/CVE-2026-40048.html"}]}