Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Vendor-assigned network, unauthenticated, low-complexity path with bounded Low impact retained absent any description detail contradicting AV:N/PR:N, though component specifics are unverifiable.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
Improper Input Validation vulnerability in Apache Camel.
This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0.
Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.
AnalysisAI
Improper input validation in Apache Camel - the open-source Java integration framework - affects versions through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0, and per the Apache-published advisory carries partial (Low) impact to confidentiality, integrity, and availability. Tagged as an Information Disclosure issue, it is remotely reachable per the CVSS network vector and appears to let a remote attacker submit malformed input that the framework fails to properly validate, potentially exposing limited data or perturbing message processing. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The precondition is that a vulnerable Apache Camel route or component in an affected version (≤4.14.7, 4.15.0-4.18.2, or 4.19.0-4.20.0) is reachable and processes attacker-supplied input - the CVSS vector (AV:N/PR:N/UI:N/AC:L) implies remote, unauthenticated exploitation with no user interaction against such an endpoint. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate and internally consistent but thin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends crafted, malformed input to a network-exposed Apache Camel route or component that fails to validate it, causing the framework to disclose limited information or mis-handle the message, consistent with the low confidentiality/integrity/availability impact in the CVSS vector. The AV:N/AC:L/PR:N/UI:N profile implies this can be attempted remotely without authentication or user interaction. … |
| Remediation | Vendor-released patch: upgrade to Apache Camel 4.14.8 (for the 4.14.x and earlier line), 4.18.3 (for the 4.15.0-4.18.2 line), or 4.21.0 (for the 4.19.0-4.20.0 line), matching the fixed release to your current branch as documented in the Apache advisory at https://camel.apache.org/security/CVE-2026-46587.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Enumerate all systems running Apache Camel and document installed versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Apache Camel
View allImproperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In
Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy im
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the
Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C
Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat
Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca
Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p
Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern b
Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS c
Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41865
GHSA-46jf-c9vx-hh79