Skip to main content

Apache Camel EUVDEUVD-2026-41839

| CVE-2026-48204 CRITICAL
Improper Input Validation (CWE-20)
9.8
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Given the default header-driven route bridged from unauthenticated HTTP, exploitation is network-based with no auth or interaction (AV:N/AC:L/PR:N/UI:N) and yields full read/delete/enumerate impact (C/I/A:H).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 06, 2026 - 21:19 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:18 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 20:22 NVD
9.8 (CRITICAL)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 05, 2026 - 20:46 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Unauthenticated NoSQL operation hijacking in Apache Camel's camel-mongodb-gridfs component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) lets a remote HTTP client override the intended GridFS operation and inject MongoDB query documents. When a route bridges an HTTP consumer such as platform-http into a mongodb-gridfs: producer that has no explicit operation set (the default), the raw gridfs.operation, gridfs.objectid and gridfs.metadata headers pass through the HTTP header filter because they lack the Camel/camel prefix, allowing an attacker to turn an intended upload into remove, listAll, or findOne and to inject NoSQL operators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach unauthenticated HTTP consumer
Delivery
Send request with gridfs.operation header
Exploit
Header bypasses Camel HTTP filter
Execution
Override producer operation to remove/listAll/findOne
Persist
Inject gridfs.metadata as Mongo document
Impact
Read, delete, or enumerate GridFS bucket

Vulnerability AssessmentAI

Exploitation Exploitation requires a Camel route that bridges an HTTP-facing consumer (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals conflict and must be weighed together. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An application exposes a platform-http endpoint that forwards uploads into a mongodb-gridfs: producer with no operation set. An unauthenticated attacker sends an HTTP request carrying gridfs.operation: remove and gridfs.objectid: <target> to delete an arbitrary stored file, or gridfs.operation: listAll to enumerate the entire bucket, and can supply a crafted gridfs.metadata value to inject MongoDB operators. …
Remediation Vendor-released patch: upgrade to Apache Camel 4.21.0, which fixes the issue; on the 4.14.x LTS stream upgrade to 4.14.8, and on the 4.18.x stream upgrade to 4.18.3, per https://camel.apache.org/security/CVE-2026-48204.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all production systems running vulnerable Apache Camel versions (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) and identify those with mongodb-gridfs features exposed through HTTP endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Camel

View all
CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

CVE-2014-0002 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file

CVE-2016-8749 CRITICAL POC
9.8 Mar 28

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri

CVE-2014-0003 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo

CVE-2026-23552 CRITICAL POC
9.1 Feb 23

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper

CVE-2026-25747 HIGH POC
8.8 Feb 23

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria

CVE-2026-40473 HIGH POC
8.8 Apr 27

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp

CVE-2019-0194 HIGH POC
7.5 Apr 30

Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2017-12634 CRITICAL
9.8 Nov 15

The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se

CVE-2015-5344 CRITICAL
9.8 Feb 03

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb

CVE-2017-12633 CRITICAL
9.8 Nov 15

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s

CVE-2013-4330 MEDIUM
6.8 Oct 04

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb

Share

EUVD-2026-41839 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy