Impact
Apache Camel’s CXF SOAP component relies on two Exchange headers—operationName and operationNamespace—to determine which WSDL operation to invoke on the backend service. These header names are defined as plain strings ('operationName'/'operationNamespace') rather than camel‑prefixed identifiers. Consequently, the HttpHeaderFilterStrategy, which filters only camel‑prefixed headers at the HTTP boundary, fails to block them. An attacker who can send arbitrary HTTP requests to an unauthenticated route that bridges a consumer into a CXF producer can therefore set these headers to an arbitrary SOAP operation. If the attacker is able to choose a destructive or otherwise privileged operation, the backend service will be invoked with that operation, potentially leading to unauthorized data modification or other destructive effects.
Affected Systems
The vulnerability impacts all versions of Apache Camel CXF from 4.0.0 up to but excluding 4.14.8, 4.15.0 up to 4.18.3, and 4.19.0 up to 4.21.0. The affected component is the camel-cxf producer and the shared camel-cxf-common module that defines the non‑prefixed header constants. Systems that expose a route which consumes HTTP requests (for example platform-http) and forwards them to a CXF producer without validating or filtering those headers are at risk. The patch is provided in Apache Camel 4.21.0 (and the corresponding LTS fixes 4.14.8 and 4.18.3).
Risk and Exploitability
The EPSS score is below 1 %, and the vulnerability is not listed in CISA’s KEV catalog, indicating a low probability of exploitation under normal circumstances. However, because the vulnerability is triggered by an inbound HTTP header and does not require authentication, an attacker with network visibility can trivially set the operationName header in an HTTP request. If the bridging consumer is exposed to the Internet, the risk rises. The vendor recommends upgrading to the patched releases or, if immediate upgrade is impossible, stripping these headers from any untrusted input prior to the CXF producer and ensuring the operation is set from a trusted source within the route.
OpenCVE Enrichment