CVE-2026-46585: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Lucene
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component. The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run. Depending on what is indexed, this allows reading documents the request should not have access to (for example a match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at the start of the route).
AI Analysis
Technical Summary
The vulnerability arises because the camel-lucene producer reads the search phrase from HTTP headers named QUERY and RETURN_LUCENE_DOCS, which are not filtered by the HttpHeaderFilterStrategy since they lack the Camel prefix. This allows an unauthenticated HTTP client to inject arbitrary Lucene queries into the route, potentially bypassing intended access controls or causing high CPU usage. The flaw affects Apache Camel Lucene versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The recommended fix is to upgrade to 4.21.0 or the appropriate LTS patch versions. For those unable to upgrade immediately, removing the QUERY and RETURN_LUCENE_DOCS headers before the Lucene producer and setting queries from trusted sources is advised.
Potential Impact
An attacker can bypass authorization controls by injecting arbitrary Lucene queries via HTTP headers, potentially accessing documents that should be restricted or causing denial of service through resource-intensive queries. No authentication is required if the HTTP consumer is unauthenticated, increasing the risk of exploitation. The impact includes unauthorized data disclosure and performance degradation.
Mitigation Recommendations
A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.21.0. Users should upgrade to these versions to resolve the vulnerability. After upgrading, routes must use CamelLuceneQuery and CamelLuceneReturnLuceneDocs headers instead of QUERY and RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, it is recommended to strip the attacker-controllable QUERY and RETURN_LUCENE_DOCS headers before the Lucene producer and set the query from a trusted source within the route.
CVE-2026-46585: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Lucene
Description
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component. The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run. Depending on what is indexed, this allows reading documents the request should not have access to (for example a match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at the start of the route).
CVSS v3.1
Score 7.5high
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-luceneRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the camel-lucene producer reads the search phrase from HTTP headers named QUERY and RETURN_LUCENE_DOCS, which are not filtered by the HttpHeaderFilterStrategy since they lack the Camel prefix. This allows an unauthenticated HTTP client to inject arbitrary Lucene queries into the route, potentially bypassing intended access controls or causing high CPU usage. The flaw affects Apache Camel Lucene versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The recommended fix is to upgrade to 4.21.0 or the appropriate LTS patch versions. For those unable to upgrade immediately, removing the QUERY and RETURN_LUCENE_DOCS headers before the Lucene producer and setting queries from trusted sources is advised.
Potential Impact
An attacker can bypass authorization controls by injecting arbitrary Lucene queries via HTTP headers, potentially accessing documents that should be restricted or causing denial of service through resource-intensive queries. No authentication is required if the HTTP consumer is unauthenticated, increasing the risk of exploitation. The impact includes unauthorized data disclosure and performance degradation.
Mitigation Recommendations
A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.21.0. Users should upgrade to these versions to resolve the vulnerability. After upgrading, routes must use CamelLuceneQuery and CamelLuceneReturnLuceneDocs headers instead of QUERY and RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, it is recommended to strip the attacker-controllable QUERY and RETURN_LUCENE_DOCS headers before the Lucene producer and set the query from a trusted source within the route.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-15T07:54:48.302Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6cac27e9c797192522a7
Added to database: 07/06/2026, 08:51:56 UTC
Last enriched: 07/06/2026, 09:08:58 UTC
Last updated: 07/06/2026, 23:08:03 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.