Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 93%

CVE-2026-46453: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel

0
Medium
VulnerabilityCVE-2026-46453cvecve-2026-46453cwe-20cwe-639
Published: 07/06/2026 (07/06/2026, 07:55:56 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel

Description

Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client. The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') rather than the 'Camel'-prefixed names used by every other Camel component (for example CamelSqlQuery, CamelMongoDbCriteria, CamelCqlQuery). Camel's inbound HTTP header filter, HttpHeaderFilterStrategy, blocks only header names that begin with 'Camel' or 'camel'. Because the Elasticsearch header names do not carry that prefix, they pass through the inbound filter unchanged. When a Camel route exposes an HTTP entry point (for example platform-http) in front of an elasticsearch-rest-client producer, an untrusted HTTP client can set these headers directly on its request and override the query and operation that the route author configured: reading every document in the index (SEARCH_QUERY with a match_all query), deleting documents (OPERATION set to Delete together with ID), or exfiltrating selected fields. No credentials are required and the producer reads the headers unconditionally. This issue affects Apache Camel: from 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSearchQuery, CamelElasticsearchIndexSettings, CamelElasticsearchIndexName, CamelElasticsearchOperation) so that they are blocked by the inbound HttpHeaderFilterStrategy; the Java field names are unchanged. For deployments that cannot upgrade immediately, strip the affected headers from untrusted inbound messages before they reach the producer (for example removeHeader('SEARCH_QUERY'), removeHeader('OPERATION'), removeHeader('INDEX_NAME'), removeHeader('INDEX_SETTINGS') and removeHeader('ID') in front of the elasticsearch-rest-client endpoint), or apply a custom HeaderFilterStrategy that blocks these names.

CVSS v3.1

Score 5.3medium

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Affected software

Apache Software Foundation/org.apache.camel:camel-elasticsearch-rest-client
pkg:maven/Apache Software Foundation/org.apache.camel:camel-elasticsearch-rest-client
Affected versions
>=4.3.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:21:36 UTC

Technical Analysis

The vulnerability in Apache Camel's camel-elasticsearch-rest-client component is due to improper input validation and authorization bypass via user-controlled headers. The component reads several Exchange headers (SEARCH_QUERY, OPERATION, INDEX_NAME, INDEX_SETTINGS, ID) without the 'Camel' prefix, allowing them to bypass Camel's inbound HTTP header filter. When an HTTP entry point exposes a route using this component, an attacker can set these headers directly, overriding the intended Elasticsearch operations such as running arbitrary queries (including match_all), deleting documents, or exfiltrating data. No authentication is required for this override. The issue affects Apache Camel versions >=4.3.0 <4.14.8, >=4.15.0 <4.18.3, and >=4.19.0 <4.21.0. The fix, introduced in version 4.21.0 and backported to 4.14.8 and 4.18.3, renames these headers to include the 'CamelElasticsearch' prefix so they are blocked by the inbound filter. For those unable to upgrade immediately, removing the affected headers from inbound messages or applying a custom header filter strategy is advised.

Potential Impact

An attacker controlling HTTP requests to a Camel route using the elasticsearch-rest-client can bypass authorization controls by setting specific headers to manipulate Elasticsearch operations. This can lead to unauthorized data access (e.g., reading all documents), data deletion, or exfiltration of sensitive fields without requiring credentials. This compromises the confidentiality and integrity of data managed by the affected Camel routes.

Mitigation Recommendations

Users should upgrade to Apache Camel version 4.21.0 or later, or to 4.14.8 or 4.18.3 if using the respective LTS streams, where the header names are prefixed to be blocked by the inbound HTTP header filter. For environments where immediate upgrade is not feasible, it is recommended to explicitly remove the affected headers ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') from untrusted inbound messages before they reach the elasticsearch-rest-client producer, or implement a custom HeaderFilterStrategy that blocks these header names.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-05-14T08:17:55.698Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4b6cac27e9c79719252294

Added to database: 07/06/2026, 08:51:56 UTC

Last enriched: 07/06/2026, 09:21:36 UTC

Last updated: 07/06/2026, 23:07:47 UTC

Views: 6

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses