This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 690035d26a2c0238d2182e9d56285f06f4bdde68
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-49086
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-49086.md      | 17 +++++++++++++++++
 content/security/CVE-2026-49086.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-49086.md 
b/content/security/CVE-2026-49086.md
new file mode 100644
index 00000000..35a312ba
--- /dev/null
+++ b/content/security/CVE-2026-49086.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-49086"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49086.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49086
+severity: MEDIUM
+summary: "Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the 
inbound CloudEvent's pub/sub-name and topic into producer-direction routing 
headers, allowing an actor who can publish to the subscribed topic to redirect 
the re-published message to an arbitrary Dapr Pub/Sub component and topic"
+description: "The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied 
two fields from each inbound CloudEvent - its Pub/Sub component name and its 
topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These 
two headers are producer-direction routing headers: when the route republishes 
through a Dapr producer, DaprConfigurationOptionsProxy reads them back and 
prefers them over the destination configured on the endpoint. As a result, in a 
route that consumes fr [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers 
from the Exchange between the Dapr consumer and any Dapr producer in the route 
(for example removeHeaders('CamelD [...]
+credit: "This issue was discovered by Leon Zlobecki"
+affected: "From 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23630 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23886 (commit 
72d13bd13fb5960ea1b367a2e379f017c1720c5c) and backported to camel-4.18.x 
(commit 86276a2ccc2cf8b09d7efeb38d9770845c4e1bea) and camel-4.14.x (commit 
c6fc9bb21670e5c65ea14df0f3f29baef78c2028). The fix stops DaprPubSubConsumer 
from setting the CamelDaprPubSubName and C [...]
diff --git a/content/security/CVE-2026-49086.txt.asc 
b/content/security/CVE-2026-49086.txt.asc
new file mode 100644
index 00000000..41fc06d8
--- /dev/null
+++ b/content/security/CVE-2026-49086.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-49086"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49086.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49086
+severity: MEDIUM
+summary: "Apache Camel: Camel-Dapr: The Dapr Pub/Sub consumer copied the 
inbound CloudEvent's pub/sub-name and topic into producer-direction routing 
headers, allowing an actor who can publish to the subscribed topic to redirect 
the re-published message to an arbitrary Dapr Pub/Sub component and topic"
+description: "The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied 
two fields from each inbound CloudEvent - its Pub/Sub component name and its 
topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These 
two headers are producer-direction routing headers: when the route republishes 
through a Dapr producer, DaprConfigurationOptionsProxy reads them back and 
prefers them over the destination configured on the endpoint. As a result, in a 
route that consumes fr [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. For deployments that cannot 
upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers 
from the Exchange between the Dapr consumer and any Dapr producer in the route 
(for example removeHeaders('CamelD [...]
+credit: "This issue was discovered by Leon Zlobecki"
+affected: "From 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23630 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23886 (commit 
72d13bd13fb5960ea1b367a2e379f017c1720c5c) and backported to camel-4.18.x 
(commit 86276a2ccc2cf8b09d7efeb38d9770845c4e1bea) and camel-4.14.x (commit 
c6fc9bb21670e5c65ea14df0f3f29baef78c2028). The fix stops DaprPubSubConsumer 
from setting the CamelDaprPubSubName and C [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/
+QQDcOQf/XURbbo0M6RbY17t6YywJtv+bXQD/yvqYqo15SsvAGq03oheNuPGopZiP
+EEQn5LXXvilZcBaCMUdgZY009ccrcI0viGyRpyF+B4xOXBCJPkwIjR6vLeCnc0Ju
+Ad8sg3kuIWd7eEntsTKiYEf6HaRh6YufJtawGgrWlYW7I/zXXJCy1YQ29eEszrZu
+OIO31coxoGXhZooYZ22QDVhb+lCx2xsyozk3v2vuHp1SOQ8TI9rE6oIll8SSDCx1
+3FCTdjFOAnQ2PqUZvhjbSkcrQXvzLDgGb9Lwe8rJlkuCmYUfwyQ9JZ8SBHmBTNb0
+JvT2NnhC3JN2RrMIhR3rxW2IO8Fu+w==
+=ANY3
+-----END PGP SIGNATURE-----

Reply via email to