Skip to main content

Apache Camel CVE-2026-46588

| EUVDEUVD-2026-41866 HIGH
Improper Input Validation (CWE-20)
2026-07-06 apache GHSA-5g68-f6xg-vf2r
7.3
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
vuln.today AI
7.3 HIGH

Remote unauthenticated low-complexity input to a network endpoint (AV:N/AC:L/PR:N/UI:N); vendor tags Information Disclosure with only partial CIA impact, so C/I/A all Low and scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Analysis Updated
Jul 06, 2026 - 19:38 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 19:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 19:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 19:22 NVD
7.3 (HIGH)
Analysis Generated
Jul 06, 2026 - 10:58 vuln.today

DescriptionCVE.org

Improper Input Validation vulnerability in Apache Camel.

This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0.

Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.

AnalysisAI

Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote attackers to trigger information disclosure and limited integrity/availability effects against exposed Camel integration endpoints. The CVSS 3.1 base score is 7.3 (High) with a fully remote, unauthenticated vector, and the Apache-issued advisory tags the flaw as Information Disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed Camel endpoint
Exploit
Send crafted malformed input
Execution
Bypass improper input validation
Impact
Disclose sensitive data or alter processing

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to an Apache Camel route/endpoint that processes attacker-supplied input, on a vulnerable version (through 4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate and internally consistent rather than alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to an exposed Apache Camel endpoint sends crafted, malformed input that Camel fails to validate properly, causing the application to disclose information or partially alter its expected behavior. Given the AV:N/AC:L/PR:N vector, this requires no authentication and no user interaction and is low in complexity, though no public proof-of-concept has been published to date.
Remediation Vendor-released patch: upgrade to Apache Camel 4.14.8 (for the line through 4.14.7), 4.18.3 (for the 4.15.0-4.18.2 line), or 4.21.0 (for the 4.19.0-4.20.0 line), matching the fixed release to your current branch as recommended in the vendor advisory at https://camel.apache.org/security/CVE-2026-46588.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Apache Camel deployments, confirm affected versions (4.14.7 and below, 4.15.0-4.18.2, 4.19.0-4.20.0), and map network exposure of integration endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33453 CRITICAL POC
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40858 HIGH POC
8.8 Apr 27

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In

CVE-2026-47323 CRITICAL
9.8 May 19

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy im

CVE-2026-33454 CRITICAL
9.4 Apr 27

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the

CVE-2026-46590 HIGH
8.8 Jul 06

Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and

CVE-2026-27172 HIGH
8.8 Apr 27

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C

CVE-2026-46591 HIGH
8.2 Jul 06

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat

CVE-2026-43865 HIGH
8.1 Jul 06

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca

CVE-2026-40859 HIGH
8.1 Jul 06

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p

CVE-2026-42527 HIGH
8.1 Jul 06

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern b

CVE-2026-46457 HIGH
7.5 Jul 06

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS c

CVE-2026-46592 HIGH
7.5 Jul 06

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0

Share

CVE-2026-46588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy