Impact
The Apache Camel DAPR Pub/Sub consumer copies the pub/sub component name and topic from inbound CloudEvents into routing headers that are used when sending the message through a DAPR producer. This improper input validation allows any publisher that can send to the subscribed topic to override the intended destination and redirect the re‑published message to an arbitrary DAPR component and topic. The consequence is that attacker-controlled traffic can be routed to unintended destinations, potentially exfiltrating sensitive data or bypassing topic‑level access controls. The flaw is a classic confused‑deputy violation, where a component performs actions on a system‑level context that it was not authorized to control.
Affected Systems
The vulnerability affects the Apache Camel DAPR component of the Apache Software Foundation. The affected versions are all releases from 4.12.0 up to but not including 4.14.8, from 4.15.0 up to but not including 4.18.3, and from 4.19.0 up to but not including 4.21.0.
Risk and Exploitability
The EPSS score is less than 1%, indicating rare exploitation but not impossible, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the ability to publish to the subscribed DAPR Pub/Sub topic; no additional authentication or user interaction is needed. Because an attacker can redirect or exfiltrate messages, the risk to confidentiality, integrity, or availability of the data stream is significant. The attack vector is likely remote or internal, depending on who can publish to the topic. The overall risk is moderate to high in environments where the publish permissions are overly permissive.
OpenCVE Enrichment