CVE-2026-45760
Deferred Deferred - Pending Action
Authorization Bypass in Apache Camel K

Publication date: 2026-05-21

Last updated on: 2026-05-23

Assigner: Apache Software Foundation

Description
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-21
Last Modified
2026-05-23
Generated
2026-06-10
AI Q&A
2026-05-21
EPSS Evaluated
2026-06-09
NVD
CVE-2026-45760
EUVD
EUVD-2026-31268
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache camel_k From 2.0.0 (inc) to 2.8.1 (exc)
apache camel_k From 2.9.0 (inc) to 2.9.2 (exc)
apache camel_k From 2.10.0 (inc) to 2.10.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-610 The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how CVE-2026-45760 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-45760 is a high-severity security vulnerability in Apache Camel K that allows authorized users within a Kubernetes namespace to create a Build resource that controls Pod generation in another namespace, including the operator namespace.

This vulnerability is characterized as an externally controlled reference to a resource in another sphere and an authorization bypass through a user-controlled key, enabling a cross-namespace build deputy attack.

It affects Apache Camel K versions from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, and from 2.10.0 before 2.10.1.

The issue has been fixed in versions 2.8.1, 2.9.2, and 2.10.1.

Impact Analysis

This vulnerability can allow an authorized user in one Kubernetes namespace to manipulate Pod generation in other namespaces, including critical operator namespaces.

Such unauthorized control can lead to privilege escalation, unauthorized resource manipulation, and potential disruption or compromise of the Kubernetes environment.

This cross-namespace control could be exploited to bypass security boundaries, potentially impacting the integrity and availability of applications running in the cluster.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Camel K to the fixed versions: 2.8.1, 2.9.2, or 2.10.1 depending on their current version line.

Upgrading to these versions addresses the authorization bypass and externally controlled reference issues by applying the necessary fixes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart