Impact
The vulnerability arises from improper input validation and an authorization bypass that allows an attacker to send specially named HTTP headers—QUERY and RETURN_LUCENE_DOCS—without the Camel prefix. These headers bypass the HttpHeaderFilterStrategy and are directly injected into a Camel exchange. An HTTP client can therefore cause the Lucene producer to execute an arbitrary full‑text search query against the index, potentially reading documents that were not intended for that user or triggering expensive regular‑expression queries that consume significant CPU. No authentication is required when the consumer is unauthenticated, making the impact more severe for exposed routes. The flaw is a classic example of unsafe header handling that leaks confidential data or causes denial of service through resource exhaustion.
Affected Systems
The issue affects Apache Camel Lucene component versions beginning with 4.0.0 and running up to, but not including, 4.14.8, 4.18.3, or 4.21.0. Specifically, any release from 4.0.0 to 4.14.7, from 4.15.0 to 4.18.2, or from 4.19.0 to 4.20.x is vulnerable. The vendor identified is the Apache Software Foundation, and the product is the Apache Camel Lucene component.
Risk and Exploitability
The EPSS score of less than 1% indicates a very low probability that this vulnerability is currently being exploited in the wild, and it is not listed in the CISA KEV catalog. The attack vector is an unauthenticated or authenticated HTTP client that can send arbitrary headers to a route that consumes HTTP requests and forwards them to the Lucene producer. Because the fault lies in the lack of proper filtering of non‑Camel header names, the attacker does not need any privileged credentials and can construct a request from any network reachability to the HTTP endpoint. While the potential impact is significant—data leakage and possible denial of service—the overall likelihood is low given the current exploitation statistics.
OpenCVE Enrichment