Impact
Apache Camel includes an improper input validation flaw in the langchain4j-tools component that allows unfiltered header arguments to be passed against declared parameters. Attackers can manipulate request or response headers through crafted input, potentially altering message routing, data visibility, or downstream processing. The flaw is a classic input validation issue (CWE‑20) and could be abused to subvert normal application logic.
Affected Systems
The vulnerability affects Apache Camel versions 4.8.0 through 4.18.2 and 4.19.0 through 4.20.0. The affected vendor is the Apache Software Foundation. Users are advised to upgrade to Apache Camel 4.18.3 or the next available release, 4.21.0, which contains the fix.
Risk and Exploitability
The EPSS score is not available for this CVE, and it is not listed in the CISA KEV catalog, suggesting a moderate level of publicly known exploitation. Without evidence of a public exploit, the risk relies on the likelihood that an attacker can reach a Camel instance that processes user-provided header values. The primary attack vector is therefore activity within the Camel application itself, rather than a remote exploitation from the outside. The severity depends on the sensitivity of the data or control flow that can be altered by injected headers, but the absence of known exploits and limited disclosure indicates a lower urgency compared to high‑impact remote code execution flaws.
OpenCVE Enrichment