Description
Improper Input Validation vulnerability in Apache Camel.

This issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0.

Users are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue.
Published: 2026-07-06
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel includes an improper input validation flaw in the langchain4j-tools component that allows unfiltered header arguments to be passed against declared parameters. Attackers can manipulate request or response headers through crafted input, potentially altering message routing, data visibility, or downstream processing. The flaw is a classic input validation issue (CWE‑20) and could be abused to subvert normal application logic.

Affected Systems

The vulnerability affects Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0. The affected vendor is the Apache Software Foundation. Users are advised to upgrade to Apache Camel 4.18.3 or the next available release, 4.21.0, which contains the fix.

Risk and Exploitability

The EPSS score is not available for this CVE, and it is not listed in the CISA KEV catalog, suggesting a moderate level of publicly known exploitation. Without evidence of a public exploit, the risk relies on the likelihood that an attacker can reach a Camel instance that processes user-provided header values. The primary attack vector is therefore activity within the Camel application itself, rather than a remote exploitation from the outside. The severity depends on the sensitivity of the data or control flow that can be altered by injected headers, but the absence of known exploits and limited disclosure indicates a lower urgency compared to high‑impact remote code execution flaws.

Generated by OpenCVE AI on July 6, 2026 at 16:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to version 4.18.3 or later, ensuring that the langchain4j‑tools component is updated to the patched release.
  • Verify that all deployment environments, including Kubernetes clusters and virtual machines, are running the patched Camel version.
  • Implement input validation or a header whitelist in application code to reject any unexpected header values before they reach Camel.
  • Deploy application monitoring to detect anomalous header traffic patterns that may indicate an attempt to exploit the vulnerability.

Generated by OpenCVE AI on July 6, 2026 at 16:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue.
Title Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Weaknesses CWE-20
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T18:40:31.559Z

Reserved: 2026-05-27T07:43:27.847Z

Link: CVE-2026-49042

cve-icon Vulnrichment

Updated: 2026-07-06T18:40:20.434Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:00:05Z

Weaknesses
  • CWE-20

    Improper Input Validation