Description
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component.

The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.netty-http.configuration.mute-exception=true property), so that processing errors no longer return the stack trace to the client.
Published: 2026-07-06
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the camel‑netty‑http consumer's muteException option, which by default is false. When a route processing error occurs, the consumer writes the full Java stack trace to the HTTP response body, exposing credentials, host names, file paths, and other internal details. This corresponds to CWE‑209: Exposure of Sensitive Information.

Affected Systems

Affected product: Apache Camel, Netty HTTP component. Versions from 4.0.0 up to before 4.14.8, from 4.15.0 up to before 4.18.3, and from 4.19.0 up to before 4.21.0 are impacted. Users on the 4.14.x LTS stream should upgrade to 4.14.8, the 4.18.x stream to 4.18.3, and all others to 4.21.0.

Risk and Exploitability

The EPSS score is below 1%, indicating that the likelihood of a known exploit is low, and the issue is not listed in CISA KEV. Nevertheless, the flaw permits unauthenticated clients to trigger a processing error and receive a detailed stack trace by sending a malformed request or invalid parameter to a reachable Camel Netty HTTP endpoint. This can provide attackers with valuable information for further attacks. The recommended remediation path is to upgrade or enable muteException, thereby reducing the attack surface.

Generated by OpenCVE AI on July 6, 2026 at 17:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Camel 4.21.0 or later; if on a 4.14.x LTS stream, upgrade to 4.14.8; if on a 4.18.x stream, upgrade to 4.18.3.
  • Set muteException=true explicitly on the consumer or globally (camel.component.netty-http.configuration.mute-exception=true) to suppress stack trace output.
  • Implement robust input validation for all Netty HTTP endpoints to avoid triggering route processing errors.

Generated by OpenCVE AI on July 6, 2026 at 17:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.netty-http.configuration.mute-exception=true property), so that processing errors no longer return the stack trace to the client.
Title Apache Camel: Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Weaknesses CWE-209
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T09:25:45.988Z

Reserved: 2026-05-29T16:50:08.917Z

Link: CVE-2026-49365

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information