Description
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Iggy component.

The camel-iggy consumer mapped the user-headers of inbound Iggy messages into the Camel Exchange header map without applying any HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight into the Exchange). Because nothing blocked the Camel header namespace, an actor able to publish to the consumed Iggy stream/topic could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as message user-headers. In a route where the Iggy consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets.
This issue affects Apache Camel: from 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a headerFilterStrategy endpoint option) that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), restrict who can publish to the consumed Iggy stream/topic, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
Published: 2026-07-06
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw originates in the Iggy consumer of Apache Camel, which copies user‑supplied message headers directly into the Camel Exchange without filtering. An attacker who is able to publish to the consumed Iggy stream can therefore inject Camel‑internally scoped control headers such as “CamelHttpUri”. When the downstream route contains an HTTP producer, the attacker‑controlled URI is used in a server‑side request, enabling a classic Server‑Side Request Forgery attack. The HTTP producer additionally interpolates property placeholders in that URI, causing environment‑variable references, application properties, and vault secrets to be resolved and sent to the attacker, thus disclosing sensitive data. The weakness maps to input validation (CWE‑20), information disclosure (CWE‑200), and SSRF (CWE‑918).

Affected Systems

The vulnerability affects all deployments of the Apache Camel Iggy component from version 4.17.0 up to (but not including) 4.18.3, and from 4.19.0 up to (but not including) 4.21.0. These are encompassing all builds of the Apache Software Foundation’s Apache Camel distribution that include the Iggy consumer.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, while the EPSS score of less than 1 % suggests the exploitation activity has been minimal to date. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only the ability to publish to the Iggy stream or topic, and the attack path is simple header manipulation. In environments that expose the stream to untrusted actors, the risk is substantially elevated, especially when the Iggy consumer feeds directly into an HTTP producer that can be driven by message headers.

Generated by OpenCVE AI on July 10, 2026 at 07:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Camel Iggy component to version 4.21.0, or to 4.18.3 if you are still on the 4.18.x release line, which introduces an IggyHeaderFilterStrategy to block Camel‑prefixed headers during inbound mapping.
  • Configure a HeaderFilterStrategy on the consumer or use the headerFilterStrategy endpoint option so that Camel‑specific headers (Camel*, camel*) are excluded from the Exchange during inbound mapping.
  • If an immediate upgrade is not possible, strip any Camel‑prefixed headers from inbound messages before they reach downstream HTTP producers (e.g., use removeHeaders('Camel*') and removeHeaders('camel*')). Also restrict write access to the consumed Iggy stream or topic and avoid connecting an untrusted consumer directly into an HTTP producer whose target URI can be controlled by message headers.

Generated by OpenCVE AI on July 10, 2026 at 07:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel Igy
Vendors & Products Apache
Apache camel Igy

Mon, 06 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Iggy component. The camel-iggy consumer mapped the user-headers of inbound Iggy messages into the Camel Exchange header map without applying any HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight into the Exchange). Because nothing blocked the Camel header namespace, an actor able to publish to the consumed Iggy stream/topic could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as message user-headers. In a route where the Iggy consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. This issue affects Apache Camel: from 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a headerFilterStrategy endpoint option) that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), restrict who can publish to the consumed Iggy stream/topic, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
Title Apache Camel Iggy: The inbound consumer maps externally-supplied Iggy message user-headers into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling control over internal behaviour
Weaknesses CWE-20
CWE-200
CWE-918
References

Subscriptions

Apache Camel Igy
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T21:13:45.038Z

Reserved: 2026-06-18T08:14:02.970Z

Link: CVE-2026-55994

cve-icon Vulnrichment

Updated: 2026-07-06T09:26:04.728Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:30:12Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-918

    Server-Side Request Forgery (SSRF)