CVE-2026-43867 -- CVSS 9.8 Vulnerability Briefing
CVE-2026-43867 | CVSS 9.8 (Critical) | Exploit: No known exploit
What Is It
CVE-2026-43867 is a critical deserialization of untrusted data vulnerability in the Apache Camel PQC (Post-Quantum Cryptography) component, specifically affecting how the camel-pqc module handles persistence of post-quantum key metadata through its KeyLifecycleManager implementation.
Technical Detail
The flaw exists in the camel-pqc component's handling of KeyMetadata objects, which are serialized and persisted via pluggable KeyLifecycleManager implementations without adequate validation of the deserialized data. An attacker who can influence the serialized key metadata input, whether through a malicious data store, a compromised persistence backend, or a man-in-the-middle position on the data path, can supply a crafted payload that triggers arbitrary code execution during deserialization. Successful exploitation could result in remote code execution (RCE) within the context of the Camel application process, potentially leading to full host compromise depending on the deployment environment and privilege level of the running service.
Exploitation Status
No known exploit exists for this vulnerability at this time. The exploit maturity is currently assessed as none, meaning no public proof-of-concept code or observed in-the-wild exploitation has been confirmed. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog as of July 13, 2026. The critical CVSS score of 9.8 reflects the potential severity of exploitation rather than observed activity.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been identified in connection with this vulnerability. Given the absence of known exploits, no active targeting has been documented.
What To Do
Organizations using Apache Camel with the camel-pqc component should treat this as a high-priority patch given the critical CVSS score of 9.8 and the RCE potential. Apply the vendor-supplied patch from Apache as soon as it becomes available and monitor the Apache Camel security advisories at camel.apache.org for official remediation guidance. As an interim measure, restrict access to any persistence backends or data stores used by the KeyLifecycleManager to trusted, authenticated sources only, and audit existing KeyMetadata storage for signs of tampering. If the camel-pqc component is not operationally required, disable or remove it from the deployment until a patch is applied. Detection efforts should focus on anomalous process spawning or unexpected outbound connections originating from the Camel application process, which may indicate deserialization exploitation in progress.