GHSA-mm84-qvjh-hcj7
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AV:N via HTTP; PR:N for unauthenticated HTTP ingress; S:C because Kafka is a separate security scope; I:H for arbitrary cross-topic message injection.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Header injection in Apache Camel's camel-kafka component allows HTTP clients to redirect Kafka messages to arbitrary topics in routes that bridge an HTTP consumer into a Kafka producer. The kafka.OVERRIDE_TOPIC, kafka.OVERRIDE_TIMESTAMP, and kafka.PARTITION_KEY Exchange header constants used non-CamelKafka-prefixed names, causing them to bypass HttpHeaderFilterStrategy - which blocks only the Camel/camel namespace - while remaining readable by KafkaProducer.evaluateTopic() as authoritative control directives. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires three conditions to be simultaneously true: first, the target deployment must run a Camel route that explicitly chains an HTTP consumer component (platform-http, camel-servlet, camel-jetty, or equivalent) into a kafka: producer - pure Kafka-to-Kafka routes, JMS-to-Kafka, or any non-HTTP ingress routes are entirely unaffected since HttpHeaderFilterStrategy is not involved. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor rates this vulnerability Moderate; no CVSS base vector or EPSS score was provided in the advisory, so quantitative signal comparison is unavailable. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a financial services platform discovers a public-facing Apache Camel HTTP endpoint (platform-http) that receives webhook events and routes them to a kafka://transactions.inbound topic for downstream processing. The attacker sends a POST request with the standard event payload but adds the HTTP header kafka.OVERRIDE_TOPIC: payments.settlement.confirmed - HttpHeaderFilterStrategy passes it unblocked, KafkaProducer.evaluateTopic() reads it as the authoritative destination, and the message lands in the settlements topic consumed by the payment finalization service rather than the intended inbound topic. … |
| Remediation | Upgrade to Apache Camel 4.14.8 (LTS stream), 4.18.3 (LTS stream), or 4.21.0 - all released in July 2026 per the Apache Camel project blog and confirmed by the official security advisory at https://camel.apache.org/security/CVE-2026-49098.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Inventory all Apache Camel deployments and identify instances using the camel-kafka component with HTTP consumers; implement network-level access restrictions to HTTP ingress endpoints. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41844