CVE-2026-48205: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel DNS
Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component. The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a dns: producer, any HTTP client could therefore set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server - a server-side request forgery via DNS, through which the attacker observes the queried name and can return poisoned responses - and set the dns.name / dns.domain headers to resolve arbitrary internal hostnames, disclosing whether they exist (internal network reconnaissance). No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For deployments that cannot upgrade immediately, strip the dns.* and term headers from any untrusted ingress before the dns: producer, and set the DNS server and lookup parameters from a trusted source in the route.
AI Analysis
Technical Summary
The Apache Camel DNS component improperly validates input by allowing DNS operation parameters to be set via HTTP headers that are not filtered by the HttpHeaderFilterStrategy. This enables an attacker to control the DNS resolver used by the dig producer, causing server-side request forgery through DNS. Attackers can observe queried names, receive poisoned DNS responses, and perform internal hostname reconnaissance without authentication if the route bridges an HTTP consumer to a dns: producer. The vulnerability affects multiple version streams of Apache Camel DNS and is fixed in versions 4.14.8, 4.18.3, and 4.21.0. Mitigation involves upgrading to these versions or filtering out the vulnerable headers from untrusted sources.
Potential Impact
An attacker can exploit this vulnerability to perform server-side request forgery via DNS, allowing them to direct DNS queries to attacker-controlled servers, observe internal DNS queries, receive malicious DNS responses, and discover internal hostnames. This can lead to internal network reconnaissance and potential DNS poisoning attacks. No authentication is required if the HTTP consumer is unauthenticated, increasing the risk in exposed deployments.
Mitigation Recommendations
Users should upgrade to Apache Camel DNS version 4.21.0 or later. For users on the 4.14.x LTS stream, upgrade to 4.14.8; for the 4.18.x stream, upgrade to 4.18.3. After upgrading, routes must use the Camel-prefixed header names (CamelDnsServer, CamelDnsName, CamelDnsDomain, CamelDnsType, CamelDnsClass, CamelDnsTerm) instead of the vulnerable dns.* and term headers. For deployments unable to upgrade immediately, it is recommended to strip the dns.* and term headers from any untrusted ingress before the dns: producer and set DNS parameters from trusted sources within the route.
CVE-2026-48205: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel DNS
Description
Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component. The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a dns: producer, any HTTP client could therefore set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server - a server-side request forgery via DNS, through which the attacker observes the queried name and can return poisoned responses - and set the dns.name / dns.domain headers to resolve arbitrary internal hostnames, disclosing whether they exist (internal network reconnaissance). No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For deployments that cannot upgrade immediately, strip the dns.* and term headers from any untrusted ingress before the dns: producer, and set the DNS server and lookup parameters from a trusted source in the route.
CVSS v3.1
Score 9.1critical
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-dnsRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache Camel DNS component improperly validates input by allowing DNS operation parameters to be set via HTTP headers that are not filtered by the HttpHeaderFilterStrategy. This enables an attacker to control the DNS resolver used by the dig producer, causing server-side request forgery through DNS. Attackers can observe queried names, receive poisoned DNS responses, and perform internal hostname reconnaissance without authentication if the route bridges an HTTP consumer to a dns: producer. The vulnerability affects multiple version streams of Apache Camel DNS and is fixed in versions 4.14.8, 4.18.3, and 4.21.0. Mitigation involves upgrading to these versions or filtering out the vulnerable headers from untrusted sources.
Potential Impact
An attacker can exploit this vulnerability to perform server-side request forgery via DNS, allowing them to direct DNS queries to attacker-controlled servers, observe internal DNS queries, receive malicious DNS responses, and discover internal hostnames. This can lead to internal network reconnaissance and potential DNS poisoning attacks. No authentication is required if the HTTP consumer is unauthenticated, increasing the risk in exposed deployments.
Mitigation Recommendations
Users should upgrade to Apache Camel DNS version 4.21.0 or later. For users on the 4.14.x LTS stream, upgrade to 4.14.8; for the 4.18.x stream, upgrade to 4.18.3. After upgrading, routes must use the Camel-prefixed header names (CamelDnsServer, CamelDnsName, CamelDnsDomain, CamelDnsType, CamelDnsClass, CamelDnsTerm) instead of the vulnerable dns.* and term headers. For deployments unable to upgrade immediately, it is recommended to strip the dns.* and term headers from any untrusted ingress before the dns: producer and set DNS parameters from trusted sources within the route.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-21T09:01:03.728Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6cae27e9c79719252379
Added to database: 07/06/2026, 08:51:58 UTC
Last enriched: 07/06/2026, 09:07:57 UTC
Last updated: 07/06/2026, 23:07:55 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.