Description
Improper Input Validation vulnerability in Apache Camel.

This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0.

Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.
Published: 2026-07-06
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel suffers from improper input validation that allows exchange headers lacking a Camel prefix to slip through the HeaderFilterStrategy. Attackers can supply crafted header values from untrusted sources and cause Camel to override default operations, effectively enabling them to execute arbitrary operations. The vulnerability is a classic input validation flaw identified as CWE‑20, which can lead to unauthorized command execution and potential compromise of systems.

Affected Systems

The vulnerability affects Apache Camel from the Apache Software Foundation. Versions up to and including 4.14.7, the range 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0 are vulnerable. Users should upgrade to 4.14.8, 4.18.3, or 4.21.0 or later.

Risk and Exploitability

There are no publicly known exploits and the EPSS score is not available, but the flaw enables unauthenticated external input to override Camel operations, which can result in high-impact compromises. The lack of KEV listing indicates no confirmed exploitation yet, yet the potential for serious impact warrants timely remediation.

Generated by OpenCVE AI on July 6, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to a version that includes the fix (4.14.8, 4.18.3, or 4.21.0).
  • Validate all Exchange header values and ensure that untrusted input is not passed directly to Camel components.
  • Check or enforce HeaderFilterStrategy configuration to strictly reject headers lacking the required Camel prefix.

Generated by OpenCVE AI on July 6, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.
Title Apache Camel: Couchbase: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T18:39:34.367Z

Reserved: 2026-05-15T08:56:50.216Z

Link: CVE-2026-46587

cve-icon Vulnrichment

Updated: 2026-07-06T18:39:30.302Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:00:05Z

Weaknesses
  • CWE-20

    Improper Input Validation