This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit e89d918bac256ce23213f69cbe59a835ee69b982 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-46726 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-46726.md | 17 +++++++++++++++++ content/security/CVE-2026-46726.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-46726.md b/content/security/CVE-2026-46726.md new file mode 100644 index 00000000..88a55b65 --- /dev/null +++ b/content/security/CVE-2026-46726.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-46726" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-46726.html +draft: false +type: security-advisory +cve: CVE-2026-46726 +severity: HIGH +summary: "Apache Camel: Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" +description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into th [...] +credit: "This issue was discovered by Kamalpreet Singh" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] diff --git a/content/security/CVE-2026-46726.txt.asc b/content/security/CVE-2026-46726.txt.asc new file mode 100644 index 00000000..b16ede30 --- /dev/null +++ b/content/security/CVE-2026-46726.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-46726" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-46726.html +draft: false +type: security-advisory +cve: CVE-2026-46726 +severity: HIGH +summary: "Apache Camel: Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" +description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into th [...] +credit: "This issue was discovered by Kamalpreet Singh" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/ +QQAIJgf/WiofpIpYaklvH5pBAucVW+SVzBoQovo1I6NtZ4aZvAUQ1Tfjb1BNtSjZ +wbbIwJavaBRhc4an5oDWqL0Z6oBl8yRp1kx8HTx8AqtEbUPzxLEHh9kYEitsMxpG +Bl3+hMyROt7WEkpqsv83PuiYwknVl8il4KEvp1LkXZcWmKrkGucOlQwt8C1NAWT6 +ZTU68ahWtAfKuVLrpevrFhQ9hr+QWX7KHd7YfFXj7Sx35opvrtDnn7yTUDuUzJGG +Z3pxd6ceYAEeUgkXhtjGr/qjyj1qkaEaC9eOpsTFg3Bfbxa5RH86tfpJv9Uw0yj9 +sWvI9yHjXVkiqsegQWgUVxXf/ya7lg== +=q1do +-----END PGP SIGNATURE-----
