Description
Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel CXF SOAP component.

The camel-cxf producer selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header, whose constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the plain strings operationName / operationNamespace. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a cxf: producer, any HTTP client could therefore set the operationName header and have CxfProducer resolve and invoke a different WSDL operation than the route intended - for example replacing a read operation with a destructive one - against the backend SOAP service (a confused-deputy redirection). The constant is defined in the shared camel-cxf-common module, so the same non-prefixed names also applied to camel-cxfrs. No credentials are required when the bridging consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the operation-selection headers are named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at transport boundaries; see the 4.21 upgrade guide for the cross-transport carrier-header pattern. For deployments that cannot upgrade immediately, do not select the CXF operation from untrusted input: strip the operationName and operationNamespace headers from any untrusted ingress before the cxf: producer and set the operation from a trusted source in the route.
Published: 2026-07-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel’s CXF SOAP component relies on two Exchange headers—operationName and operationNamespace—to determine which WSDL operation to invoke on the backend service. These header names are defined as plain strings ('operationName'/'operationNamespace') rather than camel‑prefixed identifiers. Consequently, the HttpHeaderFilterStrategy, which filters only camel‑prefixed headers at the HTTP boundary, fails to block them. An attacker who can send arbitrary HTTP requests to an unauthenticated route that bridges a consumer into a CXF producer can therefore set these headers to an arbitrary SOAP operation. If the attacker is able to choose a destructive or otherwise privileged operation, the backend service will be invoked with that operation, potentially leading to unauthorized data modification or other destructive effects.

Affected Systems

The vulnerability impacts all versions of Apache Camel CXF from 4.0.0 up to but excluding 4.14.8, 4.15.0 up to 4.18.3, and 4.19.0 up to 4.21.0. The affected component is the camel-cxf producer and the shared camel-cxf-common module that defines the non‑prefixed header constants. Systems that expose a route which consumes HTTP requests (for example platform-http) and forwards them to a CXF producer without validating or filtering those headers are at risk. The patch is provided in Apache Camel 4.21.0 (and the corresponding LTS fixes 4.14.8 and 4.18.3).

Risk and Exploitability

The EPSS score is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog, indicating a low probability of exploitation under normal circumstances. However, because the vulnerability is triggered by an inbound HTTP header and does not require authentication, an attacker with network visibility can trivially set the operationName header in an HTTP request. If the bridging consumer is exposed to the Internet, the risk rises. The vendor recommends upgrading to the patched releases or, if immediate upgrade is impossible, stripping these headers from any untrusted input prior to the CXF producer and ensuring the operation is set from a trusted source within the route.

Generated by OpenCVE AI on July 6, 2026 at 17:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Apache Camel release (4.21.0), or 4.14.8 for 4.14.x LTS, or 4.18.3 for 4.18.x, to apply the official fix that renames the headers to CamelCxfOperationName/CamelCxfOperationNamespace.
  • If an upgrade cannot be performed immediately, configure inbound routes to discard or reject the operationName and operationNamespace headers before they reach the CXF producer, and set the operation from a trusted source in the route definition.
  • Review all routes that bridge an HTTP consumer into a CXF producer for untrusted header usage, ensure proper HttpHeaderFilterStrategy configuration, and audit that only camel‑prefixed headers are forwarded on the HTTP boundary.

Generated by OpenCVE AI on July 6, 2026 at 17:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel CXF SOAP component. The camel-cxf producer selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header, whose constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the plain strings operationName / operationNamespace. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a cxf: producer, any HTTP client could therefore set the operationName header and have CxfProducer resolve and invoke a different WSDL operation than the route intended - for example replacing a read operation with a destructive one - against the backend SOAP service (a confused-deputy redirection). The constant is defined in the shared camel-cxf-common module, so the same non-prefixed names also applied to camel-cxfrs. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the operation-selection headers are named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at transport boundaries; see the 4.21 upgrade guide for the cross-transport carrier-header pattern. For deployments that cannot upgrade immediately, do not select the CXF operation from untrusted input: strip the operationName and operationNamespace headers from any untrusted ingress before the cxf: producer and set the operation from a trusted source in the route.
Title Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed names (operationName, operationNamespace) that bypass the HTTP header filter, allowing an HTTP client to redirect the invoked SOAP operation
Weaknesses CWE-20
CWE-441
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:20:07.548Z

Reserved: 2026-05-15T13:32:13.841Z

Link: CVE-2026-46592

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:22.301Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-441

    Unintended Proxy or Intermediary ('Confused Deputy')