Description
Improper Input Validation vulnerability in Apache Camel.

This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0.

Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.
Published: 2026-07-06
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper Input Validation in Apache Camel allows an attacker to provide non-Camel-prefixed exchange headers that bypass the HeaderFilterStrategy. This can cause the value of the operation header to be overridden by untrusted input. An attacker could thus instruct the Camel route to execute arbitrary CouchDB operations, leading to unauthorized data modification, deletion, or execution of dangerous commands, compromising data integrity and potentially confidentiality.

Affected Systems

The vulnerability affects Apache Camel versions up to 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0. Users using any of these releases should upgrade to version 4.14.8, 4.18.3 or 4.21.0 to receive the fix. The issue is specific to the CouchDB component of Camel.

Risk and Exploitability

No specific CVSS score or EPSS score is publicly available for this issue. The vulnerability is not listed in the CISA KEV catalog, suggesting it may not be widely exploited yet. However, the exploitation path requires the attacker to supply crafted headers in a Camel route that touches CouchDB, which may be limited to applications with exposed Camel endpoints. The risk remains significant for environments that expose such routes, especially if the application is publicly reachable. Timely patching is advised to mitigate potential unauthorized operation override.

Generated by OpenCVE AI on July 6, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Apache Camel to a fixed release—4.14.8, 4.18.3, or 4.21.0.
  • Restrict direct exposure of Camel routes that interact with CouchDB to trusted users or internal networks.
  • Review and sanitize incoming headers in Camel routes to ensure only trusted prefixes are accepted, and disable or remove any code that allows operation headers to be set from untrusted input.

Generated by OpenCVE AI on July 6, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.
Title Apache Camel: CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T18:37:55.588Z

Reserved: 2026-05-15T08:57:46.627Z

Link: CVE-2026-46588

cve-icon Vulnrichment

Updated: 2026-07-06T18:37:51.189Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:00:05Z

Weaknesses
  • CWE-20

    Improper Input Validation