CVE-2026-46726: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Vertx Websocket
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Vertx Websocket component. The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
AI Analysis
Technical Summary
The vulnerability in Apache Camel Vertx Websocket consumer occurs because inbound WebSocket query and path parameters are mapped into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows an attacker to supply Camel-internal control headers (e.g., CamelHttpUri) as query parameters, which can redirect server-side HTTP requests to attacker-chosen destinations (SSRF). Additionally, the HTTP producer resolves property placeholders in the injected URI, disclosing sensitive environment variables, application properties, and vault secrets. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The fix involves applying a HeaderFilterStrategy that filters out Camel header namespaces case-insensitively on inbound mapping. For users unable to upgrade immediately, mitigations include stripping Camel control headers from inbound messages, requiring authentication on the WebSocket endpoint, and avoiding direct bridging of untrusted consumers into HTTP producers with attacker-controlled URIs.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to perform server-side request forgery (SSRF) by injecting CamelHttpUri headers via WebSocket query parameters, causing the server to send HTTP requests to attacker-chosen destinations, potentially including internal services or cloud metadata endpoints. Furthermore, the attacker can cause disclosure of sensitive information such as environment variables, application properties, and vault secrets by leveraging property placeholder resolution in the injected URIs. This can lead to unauthorized access to sensitive internal data and potential further compromise of the affected system.
Mitigation Recommendations
Users should upgrade to Apache Camel version 4.21.0 or later, or to 4.14.8 if on the 4.14.x LTS stream, or to 4.18.3 if on the 4.18.x stream, where the issue is fixed by applying a HeaderFilterStrategy that blocks externally supplied Camel* headers. For deployments that cannot upgrade immediately, it is recommended to strip Camel control headers from inbound messages before they reach downstream producers (e.g., using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging untrusted consumers directly into HTTP producers with attacker-controlled URIs.
CVE-2026-46726: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Vertx Websocket
Description
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Vertx Websocket component. The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
CVSS v3.1
Score 7.5high
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-vertx-websocketRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel Vertx Websocket consumer occurs because inbound WebSocket query and path parameters are mapped into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows an attacker to supply Camel-internal control headers (e.g., CamelHttpUri) as query parameters, which can redirect server-side HTTP requests to attacker-chosen destinations (SSRF). Additionally, the HTTP producer resolves property placeholders in the injected URI, disclosing sensitive environment variables, application properties, and vault secrets. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The fix involves applying a HeaderFilterStrategy that filters out Camel header namespaces case-insensitively on inbound mapping. For users unable to upgrade immediately, mitigations include stripping Camel control headers from inbound messages, requiring authentication on the WebSocket endpoint, and avoiding direct bridging of untrusted consumers into HTTP producers with attacker-controlled URIs.
Potential Impact
An unauthenticated remote attacker can exploit this vulnerability to perform server-side request forgery (SSRF) by injecting CamelHttpUri headers via WebSocket query parameters, causing the server to send HTTP requests to attacker-chosen destinations, potentially including internal services or cloud metadata endpoints. Furthermore, the attacker can cause disclosure of sensitive information such as environment variables, application properties, and vault secrets by leveraging property placeholder resolution in the injected URIs. This can lead to unauthorized access to sensitive internal data and potential further compromise of the affected system.
Mitigation Recommendations
Users should upgrade to Apache Camel version 4.21.0 or later, or to 4.14.8 if on the 4.14.x LTS stream, or to 4.18.3 if on the 4.18.x stream, where the issue is fixed by applying a HeaderFilterStrategy that blocks externally supplied Camel* headers. For deployments that cannot upgrade immediately, it is recommended to strip Camel control headers from inbound messages before they reach downstream producers (e.g., using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging untrusted consumers directly into HTTP producers with attacker-controlled URIs.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-16T16:46:21.884Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6cae27e9c79719252370
Added to database: 07/06/2026, 08:51:58 UTC
Last enriched: 07/06/2026, 09:08:24 UTC
Last updated: 07/06/2026, 23:07:55 UTC
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.