Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 85%

CVE-2026-46726: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Vertx Websocket

0
High
VulnerabilityCVE-2026-46726cvecve-2026-46726cwe-20cwe-200cwe-918
Published: 07/06/2026 (07/06/2026, 08:05:40 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel Vertx Websocket

Description

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Vertx Websocket component. The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.

CVSS v3.1

Score 7.5high

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected software

Apache Software Foundation/org.apache.camel:camel-vertx-websocket
pkg:maven/Apache Software Foundation/org.apache.camel:camel-vertx-websocket
Affected versions
>=4.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:08:24 UTC

Technical Analysis

The vulnerability in Apache Camel Vertx Websocket consumer occurs because inbound WebSocket query and path parameters are mapped into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows an attacker to supply Camel-internal control headers (e.g., CamelHttpUri) as query parameters, which can redirect server-side HTTP requests to attacker-chosen destinations (SSRF). Additionally, the HTTP producer resolves property placeholders in the injected URI, disclosing sensitive environment variables, application properties, and vault secrets. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The fix involves applying a HeaderFilterStrategy that filters out Camel header namespaces case-insensitively on inbound mapping. For users unable to upgrade immediately, mitigations include stripping Camel control headers from inbound messages, requiring authentication on the WebSocket endpoint, and avoiding direct bridging of untrusted consumers into HTTP producers with attacker-controlled URIs.

Potential Impact

An unauthenticated remote attacker can exploit this vulnerability to perform server-side request forgery (SSRF) by injecting CamelHttpUri headers via WebSocket query parameters, causing the server to send HTTP requests to attacker-chosen destinations, potentially including internal services or cloud metadata endpoints. Furthermore, the attacker can cause disclosure of sensitive information such as environment variables, application properties, and vault secrets by leveraging property placeholder resolution in the injected URIs. This can lead to unauthorized access to sensitive internal data and potential further compromise of the affected system.

Mitigation Recommendations

Users should upgrade to Apache Camel version 4.21.0 or later, or to 4.14.8 if on the 4.14.x LTS stream, or to 4.18.3 if on the 4.18.x stream, where the issue is fixed by applying a HeaderFilterStrategy that blocks externally supplied Camel* headers. For deployments that cannot upgrade immediately, it is recommended to strip Camel control headers from inbound messages before they reach downstream producers (e.g., using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging untrusted consumers directly into HTTP producers with attacker-controlled URIs.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-05-16T16:46:21.884Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4b6cae27e9c79719252370

Added to database: 07/06/2026, 08:51:58 UTC

Last enriched: 07/06/2026, 09:08:24 UTC

Last updated: 07/06/2026, 23:07:55 UTC

Views: 9

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses