CVE-2026-46591
Received Received - Intake

Cypher Injection in Apache Camel Neo4j Component

Vulnerability report for CVE-2026-46591, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Neutralization of Special Elements in Data Query Logic vulnerability in Apache Camel Neo4J component. The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database. The CamelNeo4jMatchProperties header is itself Camel-prefixed and is filtered by the HTTP header-filter strategy, so a plain HTTP client cannot set it directly; the issue is reachable through routes that deliberately or inadvertently carry untrusted data into that header. This issue affects Apache Camel: from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, do not populate the CamelNeo4jMatchProperties map from untrusted input: validate or allow-list the property names (for example against ^[A-Za-z_][A-Za-z0-9_]*$) before the Neo4j producer, and ensure that any consumer feeding such a route filters inbound Camel* / camel* headers so the match header cannot be supplied by an external sender.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
apache camel 4.10.0
apache camel 4.14.7
apache camel 4.15.0
apache camel 4.18.2
apache camel 4.19.0
apache camel to 4.14.8 (inc)
apache camel to 4.18.3 (inc)
apache camel to 4.21.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-943 The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neutralizes special elements that can modify the intended logic of the query.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46591 is a security vulnerability in the Apache Camel camel-neo4j component involving improper neutralization of special elements in data query logic.

The vulnerability arises because the camel-neo4j producer builds Cypher WHERE clauses by directly concatenating JSON property names from the CamelNeo4jMatchProperties map into the query string without validation.

If an attacker can control these property names (the JSON keys), they can inject arbitrary Cypher code, which can alter the structure of the query and allow them to read, modify, or delete any node or relationship in the Neo4j database.

This issue is an incomplete fix of a previous vulnerability (CVE-2025-66169) that addressed injection in property values but not property names.

The vulnerability affects Apache Camel versions from 4.10.0 to 4.14.7, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.0.

The fix involves validating property names against a strict regex pattern to prevent injection.

Impact Analysis

This vulnerability can allow an attacker who controls untrusted input mapped into the CamelNeo4jMatchProperties header to inject arbitrary Cypher queries.

As a result, the attacker can read, modify, or delete any node or relationship in the Neo4j database, potentially leading to data breaches, data loss, or unauthorized data manipulation.

The vulnerability is reachable if routes in Apache Camel carry untrusted data into the CamelNeo4jMatchProperties header, especially if inbound Camel headers are not properly filtered.

Detection Guidance

This vulnerability can be detected by inspecting whether untrusted input is mapped into the CamelNeo4jMatchProperties header in Apache Camel routes, especially if the property names (JSON keys) are not validated and are directly concatenated into Cypher queries.

To detect potential exploitation or presence of this vulnerability, you can check your Apache Camel version to see if it falls within the affected ranges (4.10.0 to 4.14.7, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.0).

You can also audit your Camel routes and logs for usage of the CamelNeo4jMatchProperties header and verify if property names are validated against the regex ^[A-Za-z_][A-Za-z0-9_]*$.

Suggested commands include:

  • Check Apache Camel version: `camel --version` or check your application's dependency versions.
  • Search your route definitions or source code for usage of CamelNeo4jMatchProperties header.
  • Review logs for suspicious Cypher queries or errors related to IllegalArgumentException triggered by invalid property names.
  • If possible, enable debugging or tracing in Apache Camel to monitor headers and query construction.
Mitigation Strategies

The immediate recommended mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

If upgrading immediately is not possible, do not populate the CamelNeo4jMatchProperties map from untrusted input.

Validate or allow-list the property names before they reach the Neo4j producer, for example by enforcing the regex pattern ^[A-Za-z_][A-Za-z0-9_]*$.

Ensure that any consumer feeding such a route filters inbound Camel* or camel* headers so that the CamelNeo4jMatchProperties header cannot be supplied by an external sender.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46591. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart