CVE-2026-46587
Received Received - Intake

Improper Input Validation in Apache Camel

Vulnerability report for CVE-2026-46587, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: through 4.14.7, from 4.15.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.14.8, 4.18.3, 4.21.0, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
apache camel to 4.14.7|start_including=4.15.0|end_including=4.18.2|start_including=4.19.0|end_including=4.20.0 (exc)
apache camel 4.14.8
apache camel 4.18.3
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46587 is an Improper Input Validation vulnerability in the Apache Camel camel-couchbase component. It involves certain HTTP headers (CCB_KEY, CCB_ID, CCB_TTL, CCB_DDN, CCB_VN) that are not prefixed with 'Camel' and thus bypass the default HttpHeaderFilterStrategy. This allows untrusted HTTP input to override critical Couchbase operation parameters such as document keys, IDs, TTL, design document names, or view names.

The flaw exists in Apache Camel versions from 4.0.0 up to 4.14.7, 4.15.0 up to 4.18.2, and 4.19.0 up to 4.20.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.21.0 by renaming these headers to include the 'Camel' prefix so they are properly filtered.

Impact Analysis

This vulnerability can allow an attacker to send untrusted HTTP requests that override important Couchbase operation parameters. If an HTTP entry point is exposed without authentication, this could lead to unauthorized data access or manipulation.

Detection Guidance

This vulnerability involves non-Camel-prefixed Exchange headers (CCB_KEY, CCB_ID, CCB_TTL, CCB_DDN, CCB_VN) being sent in HTTP requests that bypass filtering and affect Couchbase operations.

To detect this vulnerability on your network or system, you can monitor HTTP traffic for the presence of these specific headers in requests to Apache Camel endpoints using the camel-couchbase component.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests containing headers: CCB_KEY, CCB_ID, CCB_TTL, CCB_DDN, or CCB_VN.
  • Example tcpdump command to capture HTTP headers: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'CCB_'
  • If you have access to Apache Camel logs or can enable request logging, search for these headers in incoming HTTP requests.
  • Use curl or similar tools to test your endpoints by sending HTTP requests with these headers and observe if they are accepted or filtered.
Mitigation Strategies

The primary recommended mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0, where the headers are renamed with a Camel prefix and properly filtered.

If upgrading immediately is not possible, temporary mitigations include:

  • Strip the vulnerable non-Camel-prefixed headers (CCB_KEY, CCB_ID, CCB_TTL, CCB_DDN, CCB_VN) from untrusted HTTP requests before they reach the camel-couchbase component.
  • Implement a custom HeaderFilterStrategy in Apache Camel to block or filter these headers.
  • Ensure that any HTTP entry points exposing the camel-couchbase component are protected by authentication to prevent unauthorized access.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46587. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart