oM noM Security Feeds cve
vulnerability context

CVE-2026-43867

CVSS 9.8 CRITICALEPSS 40%CWE-502

Deserialization of Untrusted Data vulnerability in Apache Camel PQC Component. The camel-pqc component persists post-quantum key metadata (KeyMetadata) through pluggable KeyLifecycleManager implementations. AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads that metadata back from the configured AWS Secrets Manager secret by Base64-decoding the stored value and deserializing it with a raw java.io.ObjectInputStream.readObject() and no ObjectInputFilter or class allow-list; the cast to KeyMetadata happens only after readObject() returns, so any readObject() side effects in a craft...

Published 2026-07-06 · last modified 2026-07-07

details

CISA KEV status
Not in catalog
CVSS v3
9.8 / CRITICAL
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
40% percentile (score 0.0051)
CWE
CWE-502
OTX pulses
0 total, 0 recent

source mentions 2

source consensus

  • Bluesky:@cyberhub.blog
  • oss-security
Want the 3-bullet summary of CVE-2026-43867, plus webhook alerts when KEV is updated? Pro is $10/mo.