Skip to main content

Apache Camel CVE-2026-55993

| EUVDEUVD-2026-41849 HIGH
Improper Input Validation (CWE-20)
7.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network-reachable header injection when the WebSocket endpoint is unauthenticated (PR:N/AV:N/AC:L); primary impact is secret disclosure (C:H) with no direct integrity or availability change to the Camel host (I:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jul 07, 2026 - 13:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 07, 2026 - 13:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 07, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
Jul 07, 2026 - 13:22 NVD
7.5 (HIGH)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 05, 2026 - 20:24 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Server-side request forgery and secret disclosure in Apache Camel's camel-atmosphere-websocket component allow a remote attacker to hijack downstream server-side HTTP requests by injecting Camel control headers as WebSocket query parameters. Affecting Camel 4.0.0-4.14.7, 4.15.0-4.18.2 and 4.19.0-4.20.x, the flaw lets an attacker set CamelHttpUri to redirect internal HTTP calls (e.g., to cloud metadata endpoints) and force resolution of Camel property placeholders, leaking environment variables, application properties and vault secrets. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Connect to unauthenticated WebSocket endpoint
Delivery
Supply CamelHttpUri as query parameter
Exploit
Header injected into Camel Exchange
Execution
Downstream HTTP producer sends server-side request
Persist
Placeholders resolved on attacker URI
Impact
Exfiltrate secrets and reach internal services

Vulnerability AssessmentAI

Exploitation Exploitation requires a Camel route that uses the camel-atmosphere-websocket consumer AND forwards messages into a downstream HTTP producer whose target URI can be influenced by Exchange headers (the injected CamelHttpUri / Exchange.HTTP_URI). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:N/A:N, 7.5 High) describes an easy, network-reachable, unauthenticated confidentiality breach - but this rating is conditional on a specific deployment: the WebSocket endpoint being exposed without authentication AND a route bridging that consumer into an HTTP producer with a header-drivable target URI. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker connects to an internet-exposed, unauthenticated camel-atmosphere-websocket endpoint and appends query parameters such as CamelHttpUri=http://169.254.169.254/latest/meta-data/ (or a value embedding a ${env:...} / vault placeholder). The Camel route copies this into the Exchange, and the downstream HTTP producer issues the server-side request to the attacker-chosen destination and resolves the embedded placeholder, returning cloud metadata or vault secrets to the attacker. …
Remediation Vendor-released patch: upgrade to Apache Camel 4.21.0, which fixes the issue; users on the 4.14.x LTS stream should move to 4.14.8, and users on the 4.18.x stream should move to 4.18.3 (per https://camel.apache.org/security/CVE-2026-55993.html). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Apache Camel with camel-atmosphere-websocket components and identify any WebSocket endpoints exposed without authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Camel

View all
CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

CVE-2014-0002 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file

CVE-2016-8749 CRITICAL POC
9.8 Mar 28

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri

CVE-2014-0003 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo

CVE-2026-23552 CRITICAL POC
9.1 Feb 23

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper

CVE-2026-25747 HIGH POC
8.8 Feb 23

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria

CVE-2026-40473 HIGH POC
8.8 Apr 27

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp

CVE-2019-0194 HIGH POC
7.5 Apr 30

Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2017-12634 CRITICAL
9.8 Nov 15

The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se

CVE-2015-5344 CRITICAL
9.8 Feb 03

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb

CVE-2017-12633 CRITICAL
9.8 Nov 15

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s

CVE-2013-4330 MEDIUM
6.8 Oct 04

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb

Share

CVE-2026-55993 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy