CVE-2026-46453: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client. The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') rather than the 'Camel'-prefixed names used by every other Camel component (for example CamelSqlQuery, CamelMongoDbCriteria, CamelCqlQuery). Camel's inbound HTTP header filter, HttpHeaderFilterStrategy, blocks only header names that begin with 'Camel' or 'camel'. Because the Elasticsearch header names do not carry that prefix, they pass through the inbound filter unchanged. When a Camel route exposes an HTTP entry point (for example platform-http) in front of an elasticsearch-rest-client producer, an untrusted HTTP client can set these headers directly on its request and override the query and operation that the route author configured: reading every document in the index (SEARCH_QUERY with a match_all query), deleting documents (OPERATION set to Delete together with ID), or exfiltrating selected fields. No credentials are required and the producer reads the headers unconditionally. This issue affects Apache Camel: from 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSearchQuery, CamelElasticsearchIndexSettings, CamelElasticsearchIndexName, CamelElasticsearchOperation) so that they are blocked by the inbound HttpHeaderFilterStrategy; the Java field names are unchanged. For deployments that cannot upgrade immediately, strip the affected headers from untrusted inbound messages before they reach the producer (for example removeHeader('SEARCH_QUERY'), removeHeader('OPERATION'), removeHeader('INDEX_NAME'), removeHeader('INDEX_SETTINGS') and removeHeader('ID') in front of the elasticsearch-rest-client endpoint), or apply a custom HeaderFilterStrategy that blocks these names.
AI Analysis
Technical Summary
The vulnerability in Apache Camel's camel-elasticsearch-rest-client component is due to improper input validation and authorization bypass via user-controlled headers. The component reads several Exchange headers (SEARCH_QUERY, OPERATION, INDEX_NAME, INDEX_SETTINGS, ID) without the 'Camel' prefix, allowing them to bypass Camel's inbound HTTP header filter. When an HTTP entry point exposes a route using this component, an attacker can set these headers directly, overriding the intended Elasticsearch operations such as running arbitrary queries (including match_all), deleting documents, or exfiltrating data. No authentication is required for this override. The issue affects Apache Camel versions >=4.3.0 <4.14.8, >=4.15.0 <4.18.3, and >=4.19.0 <4.21.0. The fix, introduced in version 4.21.0 and backported to 4.14.8 and 4.18.3, renames these headers to include the 'CamelElasticsearch' prefix so they are blocked by the inbound filter. For those unable to upgrade immediately, removing the affected headers from inbound messages or applying a custom header filter strategy is advised.
Potential Impact
An attacker controlling HTTP requests to a Camel route using the elasticsearch-rest-client can bypass authorization controls by setting specific headers to manipulate Elasticsearch operations. This can lead to unauthorized data access (e.g., reading all documents), data deletion, or exfiltration of sensitive fields without requiring credentials. This compromises the confidentiality and integrity of data managed by the affected Camel routes.
Mitigation Recommendations
Users should upgrade to Apache Camel version 4.21.0 or later, or to 4.14.8 or 4.18.3 if using the respective LTS streams, where the header names are prefixed to be blocked by the inbound HTTP header filter. For environments where immediate upgrade is not feasible, it is recommended to explicitly remove the affected headers ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') from untrusted inbound messages before they reach the elasticsearch-rest-client producer, or implement a custom HeaderFilterStrategy that blocks these header names.
CVE-2026-46453: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel
Description
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client. The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') rather than the 'Camel'-prefixed names used by every other Camel component (for example CamelSqlQuery, CamelMongoDbCriteria, CamelCqlQuery). Camel's inbound HTTP header filter, HttpHeaderFilterStrategy, blocks only header names that begin with 'Camel' or 'camel'. Because the Elasticsearch header names do not carry that prefix, they pass through the inbound filter unchanged. When a Camel route exposes an HTTP entry point (for example platform-http) in front of an elasticsearch-rest-client producer, an untrusted HTTP client can set these headers directly on its request and override the query and operation that the route author configured: reading every document in the index (SEARCH_QUERY with a match_all query), deleting documents (OPERATION set to Delete together with ID), or exfiltrating selected fields. No credentials are required and the producer reads the headers unconditionally. This issue affects Apache Camel: from 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSearchQuery, CamelElasticsearchIndexSettings, CamelElasticsearchIndexName, CamelElasticsearchOperation) so that they are blocked by the inbound HttpHeaderFilterStrategy; the Java field names are unchanged. For deployments that cannot upgrade immediately, strip the affected headers from untrusted inbound messages before they reach the producer (for example removeHeader('SEARCH_QUERY'), removeHeader('OPERATION'), removeHeader('INDEX_NAME'), removeHeader('INDEX_SETTINGS') and removeHeader('ID') in front of the elasticsearch-rest-client endpoint), or apply a custom HeaderFilterStrategy that blocks these names.
CVSS v3.1
Score 5.3medium
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-elasticsearch-rest-clientRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel's camel-elasticsearch-rest-client component is due to improper input validation and authorization bypass via user-controlled headers. The component reads several Exchange headers (SEARCH_QUERY, OPERATION, INDEX_NAME, INDEX_SETTINGS, ID) without the 'Camel' prefix, allowing them to bypass Camel's inbound HTTP header filter. When an HTTP entry point exposes a route using this component, an attacker can set these headers directly, overriding the intended Elasticsearch operations such as running arbitrary queries (including match_all), deleting documents, or exfiltrating data. No authentication is required for this override. The issue affects Apache Camel versions >=4.3.0 <4.14.8, >=4.15.0 <4.18.3, and >=4.19.0 <4.21.0. The fix, introduced in version 4.21.0 and backported to 4.14.8 and 4.18.3, renames these headers to include the 'CamelElasticsearch' prefix so they are blocked by the inbound filter. For those unable to upgrade immediately, removing the affected headers from inbound messages or applying a custom header filter strategy is advised.
Potential Impact
An attacker controlling HTTP requests to a Camel route using the elasticsearch-rest-client can bypass authorization controls by setting specific headers to manipulate Elasticsearch operations. This can lead to unauthorized data access (e.g., reading all documents), data deletion, or exfiltration of sensitive fields without requiring credentials. This compromises the confidentiality and integrity of data managed by the affected Camel routes.
Mitigation Recommendations
Users should upgrade to Apache Camel version 4.21.0 or later, or to 4.14.8 or 4.18.3 if using the respective LTS streams, where the header names are prefixed to be blocked by the inbound HTTP header filter. For environments where immediate upgrade is not feasible, it is recommended to explicitly remove the affected headers ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') from untrusted inbound messages before they reach the elasticsearch-rest-client producer, or implement a custom HeaderFilterStrategy that blocks these header names.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-14T08:17:55.698Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6cac27e9c79719252294
Added to database: 07/06/2026, 08:51:56 UTC
Last enriched: 07/06/2026, 09:21:36 UTC
Last updated: 07/06/2026, 23:07:47 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.