CVE-2026-45760
Authorization Bypass in Apache Camel K
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | camel_k | From 2.0.0 (inc) to 2.8.1 (exc) |
| apache | camel_k | From 2.9.0 (inc) to 2.9.2 (exc) |
| apache | camel_k | From 2.10.0 (inc) to 2.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
| CWE-610 | The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-45760 is a high-severity security vulnerability in Apache Camel K that allows authorized users within a Kubernetes namespace to create a Build resource that controls Pod generation in another namespace, including the operator namespace.
This vulnerability is characterized as an externally controlled reference to a resource in another sphere and an authorization bypass through a user-controlled key, enabling a cross-namespace build deputy attack.
It affects Apache Camel K versions from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, and from 2.10.0 before 2.10.1.
The issue has been fixed in versions 2.8.1, 2.9.2, and 2.10.1.
How can this vulnerability impact me? :
This vulnerability can allow an authorized user in one Kubernetes namespace to manipulate Pod generation in other namespaces, including critical operator namespaces.
Such unauthorized control can lead to privilege escalation, unauthorized resource manipulation, and potential disruption or compromise of the Kubernetes environment.
This cross-namespace control could be exploited to bypass security boundaries, potentially impacting the integrity and availability of applications running in the cluster.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are recommended to upgrade Apache Camel K to the fixed versions: 2.8.1, 2.9.2, or 2.10.1 depending on their current version line.
Upgrading to these versions addresses the authorization bypass and externally controlled reference issues by applying the necessary fixes.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-45760 affects compliance with common standards and regulations such as GDPR or HIPAA.