Skip to main content

Apache Camel DAPR CVE-2026-49086

| EUVDEUVD-2026-41842 MEDIUM
Improper Input Validation (CWE-20)
6.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.4 MEDIUM

Network publish access required (AV:N, PR:L); scope changes as messages cross Dapr component boundaries (S:C); impact is redirection and exfiltration, not code execution (C:L/I:L/A:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Severity Changed
Jul 06, 2026 - 20:22 NVD
CRITICAL MEDIUM
CVSS changed
Jul 06, 2026 - 20:22 NVD
6.5 (CRITICAL) 6.5 (MEDIUM)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 05, 2026 - 20:38 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Gain publish access to subscribed Dapr topic
Delivery
Craft CloudEvent with attacker-controlled pub/sub-name and topic fields
Exploit
Publish malicious CloudEvent to subscribed topic
Install
DaprPubSubConsumer copies fields into CamelDaprPubSubName and CamelDaprTopic Exchange headers
C2
DaprConfigurationOptionsProxy overrides configured endpoint with attacker-supplied destination
Execute
Re-published message delivered to arbitrary Dapr component and topic
Impact
Route's intended access controls bypassed; message redirected or exfiltrated

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) The target deployment must use the camel-dapr component with a route that both consumes messages FROM a Dapr Pub/Sub topic AND republishes those messages TO another Dapr Pub/Sub topic or component - a pass-through or transformation route pattern such as from('dapr-pubsub:p:t').to('dapr-pubsub:p:other'); routes that only consume or only produce are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate and narrowly scoped. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with publish access to a Dapr Pub/Sub topic monitored by a camel-dapr route crafts a CloudEvent where the pub/sub-name field is set to a Dapr component the attacker controls and the topic field points to an attacker-owned topic. When the camel-dapr route consumes this message and republishes it downstream, DaprConfigurationOptionsProxy reads the injected CamelDaprPubSubName and CamelDaprTopic headers and overrides the configured destination, delivering the re-published message - potentially containing sensitive business data - to the attacker's Dapr component instead of the intended recipient. …
Remediation The primary fix is to upgrade camel-dapr to a patched release: 4.14.8 for deployments on the 4.14.x LTS stream, 4.18.3 for those on the 4.18.x stream, or 4.21.0 for those on the latest stream. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Apache Camel deployments running camel-dapr component and implement access controls limiting Dapr Pub/Sub permissions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Camel

View all
CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

CVE-2014-0002 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file

CVE-2016-8749 CRITICAL POC
9.8 Mar 28

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri

CVE-2014-0003 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo

CVE-2026-23552 CRITICAL POC
9.1 Feb 23

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper

CVE-2026-25747 HIGH POC
8.8 Feb 23

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria

CVE-2026-40473 HIGH POC
8.8 Apr 27

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp

CVE-2019-0194 HIGH POC
7.5 Apr 30

Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2017-12634 CRITICAL
9.8 Nov 15

The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se

CVE-2015-5344 CRITICAL
9.8 Feb 03

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb

CVE-2017-12633 CRITICAL
9.8 Nov 15

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s

CVE-2013-4330 MEDIUM
6.8 Oct 04

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb

Share

CVE-2026-49086 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy