CVE-2026-46585
Received Received - Intake

Authorization Bypass in Apache Camel Lucene Component

Vulnerability report for CVE-2026-46585, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene Component. The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run. Depending on what is indexed, this allows reading documents the request should not have access to (for example a match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at the start of the route).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel to 4.14.8 (exc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46585 is a medium-severity security vulnerability in the Apache Camel camel-lucene component. It arises because certain HTTP headers (QUERY and RETURN_LUCENE_DOCS) that do not start with the Camel prefix bypass the HTTP header filter. This allows an attacker to inject unauthorized full-text search queries by setting these headers in HTTP requests to routes exposing Lucene operations. As a result, unauthorized queries can be executed against the full-text index, potentially exposing documents that should be restricted or allowing expensive queries that consume significant CPU resources. No authentication is required if the HTTP consumer is unauthenticated.

Impact Analysis

This vulnerability can impact you by allowing unauthorized access to sensitive documents indexed by the Lucene component, bypassing intended access controls or filters. An attacker can execute arbitrary search queries, including match-all queries that return the entire index, exposing data that should remain confidential. Additionally, attackers can run resource-intensive regular-expression queries that may degrade system performance by consuming excessive CPU resources. Since no credentials are required when the HTTP consumer is unauthenticated, this can lead to data leakage and denial-of-service conditions.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to Apache Camel routes that expose Lucene query operations via HTTP consumers (such as platform-http). Specifically, look for inbound HTTP requests containing the headers QUERY or RETURN_LUCENE_DOCS, which are not Camel-prefixed and can be used to inject unauthorized Lucene queries.

To detect exploitation attempts, you can inspect HTTP traffic or logs for these headers. For example, using command-line tools like curl or tcpdump to capture and analyze HTTP headers, or using grep to search logs for these header names.

  • Use tcpdump or tshark to capture HTTP traffic and filter for QUERY or RETURN_LUCENE_DOCS headers.
  • Example tcpdump command: tcpdump -A -s 0 'tcp port 80 or tcp port 8080' | grep -i 'QUERY:'
  • Search application logs for occurrences of QUERY or RETURN_LUCENE_DOCS headers using grep: grep -i 'QUERY' /path/to/logs/*
  • Use curl to manually test if the server accepts these headers: curl -v -H 'QUERY: test' http://your-camel-route
Mitigation Strategies

The primary mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

If immediate upgrade is not possible, implement a workaround by stripping the attacker-controllable headers QUERY and RETURN_LUCENE_DOCS before the Lucene producer in your route, and set the query from a trusted source.

  • Remove the QUERY and RETURN_LUCENE_DOCS headers at the start of the route using removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS').
  • Set the QUERY header to a constant or trusted value using setHeader('QUERY', constant(...)).

After upgrading, update routes to use the new Camel-prefixed headers CamelLuceneQuery and CamelLuceneReturnLuceneDocs instead of QUERY and RETURN_LUCENE_DOCS to ensure proper filtering.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46585. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart