Description
Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel DAPR component.

The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes from one Dapr Pub/Sub topic and republishes to another (for example from('dapr-pubsub:p:t').to('dapr-pubsub:p:other')), an actor able to publish a message to the subscribed topic could set the CloudEvent's pub/sub-name and topic to values of their choosing and cause the re-published message to be delivered to an arbitrary Dapr Pub/Sub component and topic instead of the configured destination - redirecting or exfiltrating the message and bypassing the route's intended routing and any topic-level access controls in the underlying broker. Exploitation requires the ability to publish to the topic the route subscribes to; no other authentication or user interaction is needed.
This issue affects Apache Camel: from 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelDaprPubSubName', 'CamelDaprTopic')), and restrict who can publish to the subscribed Dapr Pub/Sub topic so that only trusted producers can send to it.
Published: 2026-07-06
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Apache Camel DAPR Pub/Sub consumer copies the pub/sub component name and topic from inbound CloudEvents into routing headers that are used when sending the message through a DAPR producer. This improper input validation allows any publisher that can send to the subscribed topic to override the intended destination and redirect the re‑published message to an arbitrary DAPR component and topic. The consequence is that attacker-controlled traffic can be routed to unintended destinations, potentially exfiltrating sensitive data or bypassing topic‑level access controls. The flaw is a classic confused‑deputy violation, where a component performs actions on a system‑level context that it was not authorized to control.

Affected Systems

The vulnerability affects the Apache Camel DAPR component of the Apache Software Foundation. The affected versions are all releases from 4.12.0 up to but not including 4.14.8, from 4.15.0 up to but not including 4.18.3, and from 4.19.0 up to but not including 4.21.0.

Risk and Exploitability

The EPSS score is less than 1%, indicating rare exploitation but not impossible, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires the ability to publish to the subscribed DAPR Pub/Sub topic; no additional authentication or user interaction is needed. Because an attacker can redirect or exfiltrate messages, the risk to confidentiality, integrity, or availability of the data stream is significant. The attack vector is likely remote or internal, depending on who can publish to the topic. The overall risk is moderate to high in environments where the publish permissions are overly permissive.

Generated by OpenCVE AI on July 6, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel DAPR to version 4.21.0. If you are on a 4.14.x LTS stream, upgrade to 4.14.8; if on a 4.18.x stream, upgrade to 4.18.3.
  • If an upgrade is not immediately possible, modify the route to remove the CamelDaprPubSubName and CamelDaprTopic headers between the consumer and any producer (e.g., removeHeaders('CamelDaprPubSubName', 'CamelDaprTopic')).
  • Limit publishing rights on the subscribed DAPR Pub/Sub topic so that only trusted producers can send messages to it.

Generated by OpenCVE AI on July 6, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes from one Dapr Pub/Sub topic and republishes to another (for example from('dapr-pubsub:p:t').to('dapr-pubsub:p:other')), an actor able to publish a message to the subscribed topic could set the CloudEvent's pub/sub-name and topic to values of their choosing and cause the re-published message to be delivered to an arbitrary Dapr Pub/Sub component and topic instead of the configured destination - redirecting or exfiltrating the message and bypassing the route's intended routing and any topic-level access controls in the underlying broker. Exploitation requires the ability to publish to the topic the route subscribes to; no other authentication or user interaction is needed. This issue affects Apache Camel: from 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelDaprPubSubName', 'CamelDaprTopic')), and restrict who can publish to the subscribed Dapr Pub/Sub topic so that only trusted producers can send to it.
Title Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to influence internal behaviour
Weaknesses CWE-20
CWE-441
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:04:56.921Z

Reserved: 2026-05-27T11:04:35.426Z

Link: CVE-2026-49086

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:37.835Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-441

    Unintended Proxy or Intermediary ('Confused Deputy')