Description
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component.

The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker who can reach the camel‑undertow consumer to trigger a route processing error that causes the full Java stack trace to be returned as the HTTP response body. The exposed stack trace reveals credentials, host names, IP addresses, file paths, dependency and version information, database and class names, and other internal structural details, giving an attacker insight to plan further attacks. This weakness corresponds to CWE‑209: Information Exposure.

Affected Systems

Apache Camel's Undertow component in the Apache Camel framework is impacted. Versions 4.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.9 are affected; the vulnerability is fixed in 4.21.0 and in the later-point releases 4.18.3 and 4.14.8 for the 4.18.x and 4.14.x lines respectively.

Risk and Exploitability

Exploitation requires only the ability to send a crafted request that triggers a route‑level error on an exposed endpoint; the attack vector is inferred because the description does not explicitly state it. Because muteException defaults to false, any errored request returns the complete stack trace and thus sensitive internal details. The CVSS score of 5.3 indicates moderate severity. The EPSS score is reported as < 1 %, indicating a low probability of exploitation on a global basis, though the vulnerability is still highly valuable for targeted attackers. The issue is not listed in CISA KEV and no public exploits have been disclosed; however, attackers can leverage the exposed information to map the internal system and plan subsequent attacks.

Generated by OpenCVE AI on July 8, 2026 at 05:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to the fixed version—4.21.0 for general releases, 4.18.3 for 4.18.x streams, or 4.14.8 for 4.14.x LTS releases.
  • If an upgrade cannot be made immediately, set the muteException option to true on the camel‑undertow consumer or globally via camel.component.undertow.mute-exception=true to suppress stack traces.
  • For Rest DSL consumers, apply the same configuration change; until the fix is applied, protect the endpoint with authentication or access restrictions.

Generated by OpenCVE AI on July 8, 2026 at 05:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel Undertow
Vendors & Products Apache
Apache camel Undertow

Mon, 06 Jul 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.
Title Apache Camel Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients
Weaknesses CWE-209
References

Subscriptions

Apache Camel Undertow
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T20:55:43.126Z

Reserved: 2026-06-19T09:53:55.822Z

Link: CVE-2026-56139

cve-icon Vulnrichment

Updated: 2026-07-06T09:26:06.541Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-06T08:15:08Z

Links: CVE-2026-56139 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T06:00:04Z

Weaknesses
  • CWE-209

    Generation of Error Message Containing Sensitive Information