Skip to main content

Apache Camel CVE-2026-46585

| EUVDEUVD-2026-41833 HIGH
Improper Input Validation (CWE-20)
2026-07-06 apache GHSA-566h-v38h-3xp3
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
8.2 HIGH

Unauthenticated HTTP header injection (AV:N/AC:L/PR:N) gives high index disclosure (C:H); added A:L reflects described CPU-heavy regex queries; no integrity impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jul 06, 2026 - 21:31 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:30 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:30 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 20:22 NVD
7.5 (HIGH)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 06, 2026 - 09:37 vuln.today

DescriptionCVE.org

Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component.

The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run. Depending on what is indexed, this allows reading documents the request should not have access to (for example a match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at the start of the route).

AnalysisAI

Query injection and authorization bypass in the Apache Camel Lucene component (camel-lucene) lets remote unauthenticated HTTP clients override the full-text search a route intends to run. Because the raw header names QUERY and RETURN_LUCENE_DOCS lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker-supplied header flows straight into the Exchange and executes against the index - enabling disclosure of documents the requester should not see (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate HTTP-exposed Lucene search route
Delivery
Send HTTP request with QUERY header
Exploit
Header bypasses HttpHeaderFilterStrategy filter
Execution
Overrides route's intended Lucene query
Impact
Exfiltrate full index or trigger regex CPU load

Vulnerability AssessmentAI

Exploitation Requires a Camel route that feeds an HTTP consumer (for example platform-http) into the camel-lucene producer and relies on the raw header names QUERY / RETURN_LUCENE_DOCS to carry the search phrase - the vulnerable data path only exists in that configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and point to a real but conditional issue rather than a mass-exploitation emergency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An organization runs a Camel route on platform-http that lets users search an internal document index, applying a server-side per-user filter. An attacker sends a normal HTTP request but adds the header QUERY set to a match-all expression; the header bypasses HttpHeaderFilterStrategy, replaces the route's intended query, and returns the entire index including other users' documents. …
Remediation Vendor-released patches are available: upgrade to Apache Camel 4.21.0 (primary fix), or on the LTS/maintenance streams to 4.14.8 (4.14.x) or 4.18.3 (4.18.x). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory systems running Apache Camel and verify version numbers against affected ranges (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46585 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy