Description
Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component.

The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database. The CamelNeo4jMatchProperties header is itself Camel-prefixed and is filtered by the HTTP header-filter strategy, so a plain HTTP client cannot set it directly; the issue is reachable through routes that deliberately or inadvertently carry untrusted data into that header.
This issue affects Apache Camel: from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]*$) before the Neo4j producer, and ensure that any consumer feeding such a route filters inbound Camel* / camel* headers so the match header cannot be supplied by an external sender.
Published: 2026-07-06
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CamelNeo4jMatchProperties map is used by the Neo4j producer to construct a Cypher WHERE clause. While the values are bound as parameters, the property names – the JSON keys of the map – are interpolated directly into the query string without validation. A crafted key that contains Neo4j Cypher syntax can therefore alter the query’s structure, enabling an attacker to execute arbitrary Cypher. The vulnerability is a classic Cypher injection (CWE‑943) that can lead to reading, modification, or deletion of any node or relationship in the database. The impact is significant because the data set effectively becomes accessible and modifiable by anyone who can influence the match properties.

Affected Systems

Apache Camel releases 4.10.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.9 contain the vulnerable Neo4j component. Users running these versions are at risk if untrusted data is routed into the CamelNeo4jMatchProperties header.

Risk and Exploitability

The known EPSS score is less than 1 %, indicating a low but non‑zero probability of exploitation at the time of analysis. The vulnerability is not listed in the CISA KEV catalog. The attack vector requires that a route propagate untrusted input—such as an HTTP request body—to the CamelNeo4jMatchProperties header, and that the resulting header not be filtered. When these conditions are met, an attacker controlling the property names can inject arbitrary Cypher and compromise the Neo4j database.

Generated by OpenCVE AI on July 6, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Camel 4.21.0; if using the 4.14.x LTS stream upgrade to 4.14.8, and if using the 4.18.x release stream upgrade to 4.18.3
  • If an upgrade is not immediately possible, validate all keys in the CamelNeo4jMatchProperties map against a strict regex such as ^[A-Za-z_][A-Za-z0-9_]*$ before they reach the Neo4j producer
  • Ensure that any consumer feeding the route sanitizes Camel* / camel* headers so that the CamelNeo4jMatchProperties header cannot be supplied by an external sender

Generated by OpenCVE AI on July 6, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database. The CamelNeo4jMatchProperties header is itself Camel-prefixed and is filtered by the HTTP header-filter strategy, so a plain HTTP client cannot set it directly; the issue is reachable through routes that deliberately or inadvertently carry untrusted data into that header. This issue affects Apache Camel: from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]*$) before the Neo4j producer, and ensure that any consumer feeding such a route filters inbound Camel* / camel* headers so the match header cannot be supplied by an external sender.
Title Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header are interpolated into the Cypher WHERE clause without validation, allowing Cypher injection (incomplete remediation of CVE-2025-66169)
Weaknesses CWE-943
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:21:17.467Z

Reserved: 2026-05-15T13:27:34.353Z

Link: CVE-2026-46591

cve-icon Vulnrichment

Updated: 2026-07-06T19:21:13.551Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-943

    Improper Neutralization of Special Elements in Data Query Logic