Description
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Atmosphere Websocket Component.

The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
Published: 2026-07-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel’s Atmosphere Websocket consumer mistakenly copies every query‑string parameter from a client’s WebSocket request into the Exchange header map without filtering. Because the Camel header namespace is not blocked, an attacker can send specially crafted query parameters that set privileged Camel control headers, most notably CamelHttpUri (Exchange.HTTP_URI). In a route that forwards the Exchange to an HTTP producer, this injected header causes the server to issue a request to an attacker‑chosen URI, enabling server‑side request forgery (SSRF). Additionally, the HTTP producer expands property placeholders on that URI, exposing environment variables, application properties, and vault secrets to the attacker. If the endpoint is unprotected, an unauthenticated remote attacker can leverage this flaw without any additional privileges.

Affected Systems

The vulnerability exists in the Apache Camel Atmosphere Websocket component shipped with Apache Software Foundation’s Camel. Affected releases are 4.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x. Users of the 4.14.x LTS stream should upgrade to 4.14.8, users of the 4.18.x stream to 4.18.3, and all other users should adopt 4.21.0, which provides a filter that blocks Camel‑header injection.

Risk and Exploitability

Because the exploit is reachable via an unauthenticated WebSocket connection, the risk is significant. The EPSS score is listed as <1 %, indicating a low probability of widespread exploitation at this time, yet the impact of a successful SSRF and the leakage of privileged secrets could be devastating. The vulnerability is not currently listed in the CISA KEV catalog, but its potential rating is high given the remote, unauthenticated attack vector and the ability to compromise internal services or retrieve confidential information. If a user’s environment maintains an unfiltered Bridge from untrusted consumers to HTTP producers, the attack could be executed without any additional access controls.

Generated by OpenCVE AI on July 7, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to the officially fixed version: 4.21.0 for all streams; use 4.14.8 for 4.14.x releases and 4.18.3 for 4.18.x releases.
  • Authenticate all clients before they can connect to the Atmosphere Websocket endpoint, preventing unauthenticated exploitation of the consumer.
  • Add a route filter that removes any inbound Camel‑prefixed headers, such as removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route.
  • Avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.

Generated by OpenCVE AI on July 7, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel Atmosphere Websocket
Vendors & Products Apache
Apache camel Atmosphere Websocket

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Atmosphere Websocket Component. The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
Title Apache Camel Atmosphere Websocket: The inbound consumer maps externally-supplied WebSocket query parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling influencing internal behaviour
Weaknesses CWE-20
CWE-200
CWE-918
References

Subscriptions

Apache Camel Atmosphere Websocket
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-07T12:39:32.830Z

Reserved: 2026-06-18T08:12:33.509Z

Link: CVE-2026-55993

cve-icon Vulnrichment

Updated: 2026-07-06T09:26:02.909Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T11:15:03Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-918

    Server-Side Request Forgery (SSRF)