This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 690035d26a2c0238d2182e9d56285f06f4bdde68 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-49086 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-49086.md | 17 +++++++++++++++++ content/security/CVE-2026-49086.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-49086.md b/content/security/CVE-2026-49086.md new file mode 100644 index 00000000..35a312ba --- /dev/null +++ b/content/security/CVE-2026-49086.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-49086" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49086.html +draft: false +type: security-advisory +cve: CVE-2026-49086 +severity: MEDIUM +summary: "Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic" +description: "The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes fr [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelD [...] +credit: "This issue was discovered by Leon Zlobecki" +affected: "From 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23630 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23886 (commit 72d13bd13fb5960ea1b367a2e379f017c1720c5c) and backported to camel-4.18.x (commit 86276a2ccc2cf8b09d7efeb38d9770845c4e1bea) and camel-4.14.x (commit c6fc9bb21670e5c65ea14df0f3f29baef78c2028). The fix stops DaprPubSubConsumer from setting the CamelDaprPubSubName and C [...] diff --git a/content/security/CVE-2026-49086.txt.asc b/content/security/CVE-2026-49086.txt.asc new file mode 100644 index 00000000..41fc06d8 --- /dev/null +++ b/content/security/CVE-2026-49086.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-49086" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49086.html +draft: false +type: security-advisory +cve: CVE-2026-49086 +severity: MEDIUM +summary: "Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to redirect the re-published message to an arbitrary Dapr Pub/Sub component and topic" +description: "The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes fr [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelD [...] +credit: "This issue was discovered by Leon Zlobecki" +affected: "From 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23630 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23886 (commit 72d13bd13fb5960ea1b367a2e379f017c1720c5c) and backported to camel-4.18.x (commit 86276a2ccc2cf8b09d7efeb38d9770845c4e1bea) and camel-4.14.x (commit c6fc9bb21670e5c65ea14df0f3f29baef78c2028). The fix stops DaprPubSubConsumer from setting the CamelDaprPubSubName and C [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ +QQDcOQf/XURbbo0M6RbY17t6YywJtv+bXQD/yvqYqo15SsvAGq03oheNuPGopZiP +EEQn5LXXvilZcBaCMUdgZY009ccrcI0viGyRpyF+B4xOXBCJPkwIjR6vLeCnc0Ju +Ad8sg3kuIWd7eEntsTKiYEf6HaRh6YufJtawGgrWlYW7I/zXXJCy1YQ29eEszrZu +OIO31coxoGXhZooYZ22QDVhb+lCx2xsyozk3v2vuHp1SOQ8TI9rE6oIll8SSDCx1 +3FCTdjFOAnQ2PqUZvhjbSkcrQXvzLDgGb9Lwe8rJlkuCmYUfwyQ9JZ8SBHmBTNb0 +JvT2NnhC3JN2RrMIhR3rxW2IO8Fu+w== +=ANY3 +-----END PGP SIGNATURE-----
