Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-55993: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Atmosphere Websocket

0
High
VulnerabilityCVE-2026-55993cvecve-2026-55993cwe-20cwe-200cwe-918
Published: 07/06/2026 (07/06/2026, 08:13:24 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel Atmosphere Websocket

Description

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Atmosphere Websocket Component. The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.

Affected software

Apache Software Foundation/org.apache.camel:camel-atmosphere-websocket
pkg:maven/Apache Software Foundation/org.apache.camel:camel-atmosphere-websocket
Affected versions
>=4.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:06:57 UTC

Technical Analysis

The vulnerability arises because the camel-atmosphere-websocket consumer copies inbound WebSocket query parameters into the Camel Exchange header map without filtering. This allows attackers to set internal Camel headers like CamelHttpUri, which can redirect downstream HTTP producers to attacker-controlled destinations, enabling SSRF. Additionally, the HTTP producer resolves property placeholders in the injected URI, potentially leaking sensitive environment variables and secrets. The flaw affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The fix, introduced in 4.14.8, 4.18.3, and 4.21.0, applies a HeaderFilterStrategy to block externally supplied Camel headers on inbound mapping. Mitigations include upgrading to these versions, stripping Camel headers before downstream processing, requiring authentication on the WebSocket endpoint, and avoiding untrusted consumers directly feeding HTTP producers with header-driven URIs.

Potential Impact

An unauthenticated remote attacker can exploit this vulnerability to perform server-side request forgery (SSRF) by injecting CamelHttpUri headers via WebSocket query parameters, causing the server to make HTTP requests to attacker-chosen destinations. Furthermore, the attacker can cause the server to disclose sensitive information such as environment variables, application properties, and vault secrets by leveraging property placeholder resolution in the injected URI. This can lead to unauthorized information disclosure and potential further compromise of internal services.

Mitigation Recommendations

A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.21.0. Users are strongly recommended to upgrade to one of these versions depending on their release stream. For those unable to upgrade immediately, mitigations include stripping Camel control headers from inbound messages before they reach downstream producers (e.g., using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), enforcing authentication on the WebSocket endpoint, and avoiding bridging untrusted WebSocket consumers directly into HTTP producers where the target URI can be influenced by message headers.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-06-18T08:12:33.509Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null

Threat ID: 6a4b6cb027e9c7971925269f

Added to database: 07/06/2026, 08:52:00 UTC

Last enriched: 07/06/2026, 09:06:57 UTC

Last updated: 07/06/2026, 10:56:18 UTC

Views: 6

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses