Skip to main content

Apache Camel Kafka CVE-2026-49098

| EUVDEUVD-2026-41844 MEDIUM
Improper Input Validation (CWE-20)
5.3
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
9.9 CRITICAL

AV:N via HTTP; PR:N for unauthenticated HTTP ingress; S:C because Kafka is a separate security scope; I:H for arbitrary cross-topic message injection.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:L/SI:H/SA:L

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 07, 2026 - 13:22 NVD
5.3 (MEDIUM)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 05, 2026 - 20:33 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Header injection in Apache Camel's camel-kafka component allows HTTP clients to redirect Kafka messages to arbitrary topics in routes that bridge an HTTP consumer into a Kafka producer. The kafka.OVERRIDE_TOPIC, kafka.OVERRIDE_TIMESTAMP, and kafka.PARTITION_KEY Exchange header constants used non-CamelKafka-prefixed names, causing them to bypass HttpHeaderFilterStrategy - which blocks only the Camel/camel namespace - while remaining readable by KafkaProducer.evaluateTopic() as authoritative control directives. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify HTTP-to-Kafka bridge route on Camel deployment
Delivery
Craft HTTP request with kafka.OVERRIDE_TOPIC header set to target topic
Exploit
HttpHeaderFilterStrategy passes kafka.* header unblocked into Exchange
Execution
KafkaProducer.evaluateTopic() reads header as authoritative destination override
Persist
Message published to attacker-specified Kafka topic
Impact
Downstream service consuming that topic processes attacker-injected message

Vulnerability AssessmentAI

Exploitation Exploitation requires three conditions to be simultaneously true: first, the target deployment must run a Camel route that explicitly chains an HTTP consumer component (platform-http, camel-servlet, camel-jetty, or equivalent) into a kafka: producer - pure Kafka-to-Kafka routes, JMS-to-Kafka, or any non-HTTP ingress routes are entirely unaffected since HttpHeaderFilterStrategy is not involved. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor rates this vulnerability Moderate; no CVSS base vector or EPSS score was provided in the advisory, so quantitative signal comparison is unavailable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a financial services platform discovers a public-facing Apache Camel HTTP endpoint (platform-http) that receives webhook events and routes them to a kafka://transactions.inbound topic for downstream processing. The attacker sends a POST request with the standard event payload but adds the HTTP header kafka.OVERRIDE_TOPIC: payments.settlement.confirmed - HttpHeaderFilterStrategy passes it unblocked, KafkaProducer.evaluateTopic() reads it as the authoritative destination, and the message lands in the settlements topic consumed by the payment finalization service rather than the intended inbound topic. …
Remediation Upgrade to Apache Camel 4.14.8 (LTS stream), 4.18.3 (LTS stream), or 4.21.0 - all released in July 2026 per the Apache Camel project blog and confirmed by the official security advisory at https://camel.apache.org/security/CVE-2026-49098.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all Apache Camel deployments and identify instances using the camel-kafka component with HTTP consumers; implement network-level access restrictions to HTTP ingress endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Camel

View all
CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

CVE-2014-0002 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file

CVE-2016-8749 CRITICAL POC
9.8 Mar 28

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri

CVE-2014-0003 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo

CVE-2026-23552 CRITICAL POC
9.1 Feb 23

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper

CVE-2026-25747 HIGH POC
8.8 Feb 23

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria

CVE-2026-40473 HIGH POC
8.8 Apr 27

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp

CVE-2019-0194 HIGH POC
7.5 Apr 30

Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2017-12634 CRITICAL
9.8 Nov 15

The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se

CVE-2015-5344 CRITICAL
9.8 Feb 03

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb

CVE-2017-12633 CRITICAL
9.8 Nov 15

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s

CVE-2013-4330 MEDIUM
6.8 Oct 04

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb

Share

CVE-2026-49098 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy