Skip to content

Add CVE-2026-43867 security advisory for camel-pqc AWS Secrets Manager deserialization (independent report of the CVE-2026-46590 defect)#1688

Merged
oscerd merged 1 commit into
apache:mainfrom
oscerd:security/CVE-2026-43867
Jul 6, 2026
Merged

Add CVE-2026-43867 security advisory for camel-pqc AWS Secrets Manager deserialization (independent report of the CVE-2026-46590 defect)#1688
oscerd merged 1 commit into
apache:mainfrom
oscerd:security/CVE-2026-43867

Conversation

@oscerd

@oscerd oscerd commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Adds the security advisory page for CVE-2026-43867 — unfiltered java.io.ObjectInputStream deserialization in the camel-pqc AwsSecretsManagerKeyLifecycleManager.

AwsSecretsManagerKeyLifecycleManager.deserializeMetadata() reads persisted key metadata back from the configured AWS Secrets Manager secret by Base64-decoding it and calling ObjectInputStream.readObject() with no ObjectInputFilter — the cast to KeyMetadata happens only after readObject() returns. A principal with secretsmanager:PutSecretValue on that secret could store a crafted object that executes during normal key-lifecycle operations.

This was reported independently by Venkatraman Kumar (Securin) and is the same defect, in the same code path, fixed by the same change as CVE-2026-46590 (which additionally covers the HashiCorp Vault and file-based managers). Both are incomplete-remediation follow-ons to CVE-2026-40048.

Details

Files

  • content/security/CVE-2026-43867.md — Hugo advisory source
  • content/security/CVE-2026-43867.txt.asc — clearsigned plaintext (key E34E9F3802FF4100)

⚠️ Hold merge until Apache Camel 4.18.3 / 4.21.0 are released. The fix is already merged, but those versions are not yet cut; the advisory should only go live once the fixed releases are available.


Advisory drafted by Claude Code on behalf of Andrea Cosentino.

🤖 Generated with Claude Code

Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd oscerd merged commit e2e8493 into apache:main Jul 6, 2026
1 check passed
@oscerd oscerd deleted the security/CVE-2026-43867 branch July 6, 2026 07:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant