GHSA-463m-2hr2-q2j7
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Network-delivered HTTP header injection with no auth required; scope changed as attack crosses HTTP-to-IRC boundary; limited confidentiality and integrity impact only.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Header injection in Apache Camel's camel-irc component enables unauthenticated HTTP clients to redirect outgoing IRC messages to attacker-chosen channels or users by supplying non-Camel-prefixed headers (e.g., irc.sendTo) that Camel's HttpHeaderFilterStrategy fails to block. Affected versions span 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; fixes are available in 4.14.8, 4.18.3, and 4.21.0. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two simultaneous deployment conditions: first, a Camel route must use an HTTP consumer component (such as platform-http, camel-servlet, or camel-jetty) as its entry point; and second, that same route must connect to an irc: producer endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No NVD CVSS vector or EPSS score was published for this CVE at time of analysis; Apache rated it 'moderate' severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP POST to an unauthenticated Camel HTTP consumer endpoint with the custom header 'irc.sendTo: #exfil-channel' appended to the request. The HttpHeaderFilterStrategy passes this header through unchallenged, it enters the Camel Exchange, and the downstream IRC producer reads it as an override, delivering the message body - which may contain sensitive integration data - to the attacker's IRC channel instead of the intended configured destination. … |
| Remediation | The primary fix is to upgrade camel-irc to 4.14.8 (for 4.14.x LTS users), 4.18.3 (for 4.18.x users), or 4.21.0 (for users on the latest stream), as documented in the vendor advisory at https://camel.apache.org/security/CVE-2026-49097.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all production systems running Apache Camel versions 4.0.0-4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.x with camel-irc components. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41843