Impact
The Camel‑elasticsearch‑rest‑client component handles several Exchange headers—SEARCH_QUERY, OPERATION, INDEX_NAME, INDEX_SETTINGS, and ID—without the Camel prefix that other Camel components use. Because Camel’s inbound HTTP header filter only blocks headers starting with "Camel" or "camel", these unprefixed headers bypass the filter. An attacker who can send an HTTP request to a Camel route that exposes an HTTP entry point can set these headers directly, overriding the query and operation the route author configured. This allows arbitrary read, delete, or exfiltration of data from an underlying Elasticsearch cluster without authentication. The vulnerability is a combination of improper input validation (CWE‑20) and authorization bypass (CWE‑639).
Affected Systems
Apache Software Foundation: Apache Camel, version ranges 4.3.0 to 4.14.7, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.x are affected. Updated releases 4.14.8, 4.18.3, and 4.21.0 contain the fix.
Risk and Exploitability
The EPSS score of less than 1% indicates a very low probability of exploitation, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, exploitation requires only the ability to send a crafted HTTP request to a Camel route that forwards to the Elasticsearch Rest Client; no credentials are needed. Successful exploitation can result in full data exfiltration, unauthorized deletion, or other integrity violations, making the risk significant for systems handling sensitive data despite the low likelihood.
OpenCVE Enrichment