Description
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component.

The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run. Depending on what is indexed, this allows reading documents the request should not have access to (for example a match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at the start of the route).
Published: 2026-07-06
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from improper input validation and an authorization bypass that allows an attacker to send specially named HTTP headers—QUERY and RETURN_LUCENE_DOCS—without the Camel prefix. These headers bypass the HttpHeaderFilterStrategy and are directly injected into a Camel exchange. An HTTP client can therefore cause the Lucene producer to execute an arbitrary full‑text search query against the index, potentially reading documents that were not intended for that user or triggering expensive regular‑expression queries that consume significant CPU. No authentication is required when the consumer is unauthenticated, making the impact more severe for exposed routes. The flaw is a classic example of unsafe header handling that leaks confidential data or causes denial of service through resource exhaustion.

Affected Systems

The issue affects Apache Camel Lucene component versions beginning with 4.0.0 and running up to, but not including, 4.14.8, 4.18.3, or 4.21.0. Specifically, any release from 4.0.0 to 4.14.7, from 4.15.0 to 4.18.2, or from 4.19.0 to 4.20.x is vulnerable. The vendor identified is the Apache Software Foundation, and the product is the Apache Camel Lucene component.

Risk and Exploitability

The EPSS score of less than 1% indicates a very low probability that this vulnerability is currently being exploited in the wild, and it is not listed in the CISA KEV catalog. The attack vector is an unauthenticated or authenticated HTTP client that can send arbitrary headers to a route that consumes HTTP requests and forwards them to the Lucene producer. Because the fault lies in the lack of proper filtering of non‑Camel header names, the attacker does not need any privileged credentials and can construct a request from any network reachability to the HTTP endpoint. While the potential impact is significant—data leakage and possible denial of service—the overall likelihood is low given the current exploitation statistics.

Generated by OpenCVE AI on July 6, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel Lucene to the latest secure version, using 4.21.0 for new releases or upgrading to 4.14.8 if on the 4.14.x LTS stream or to 4.18.3 if on the 4.18.x stream.
  • After upgrading, modify all routes to use the fixed Camel header names CamelLuceneQuery and CamelLuceneReturnLuceneDocs instead of the raw QUERY and RETURN_LUCENE_DOCS headers for any Lucene queries.
  • For deployments that cannot immediately upgrade, alter the route to strip or overwrite user‑supplied QUERY and RETURN_LUCENE_DOCS headers before they reach the Lucene producer—e.g., use removeHeader('QUERY'), removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) from a trusted source.

Generated by OpenCVE AI on July 6, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component. The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run. Depending on what is indexed, this allows reading documents the request should not have access to (for example a match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at the start of the route).
Title Apache Camel Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query
Weaknesses CWE-20
CWE-639
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:24:45.975Z

Reserved: 2026-05-15T07:54:48.302Z

Link: CVE-2026-46585

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-639

    Authorization Bypass Through User-Controlled Key