CVE-2026-46592
Received Received - Intake

Confused Deputy in Apache Camel CXF SOAP Component

Vulnerability report for CVE-2026-46592, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel CXF SOAP component. The camel-cxf producer selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header, whose constant values (CxfConstants.OPERATION_NAME / OPERATION_NAMESPACE) were the plain strings operationName / operationNamespace. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a cxf: producer, any HTTP client could therefore set the operationName header and have CxfProducer resolve and invoke a different WSDL operation than the route intended - for example replacing a read operation with a destructive one - against the backend SOAP service (a confused-deputy redirection). The constant is defined in the shared camel-cxf-common module, so the same non-prefixed names also applied to camel-cxfrs. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the operation-selection headers are named CamelCxfOperationName / CamelCxfOperationNamespace and are filtered at transport boundaries; see the 4.21 upgrade guide for the cross-transport carrier-header pattern. For deployments that cannot upgrade immediately, do not select the CXF operation from untrusted input: strip the operationName and operationNamespace headers from any untrusted ingress before the cxf: producer and set the operation from a trusted source in the route.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel to 4.14.8 (exc)
apache camel to 4.15.0 (exc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46592 is a medium-severity security vulnerability in Apache Camel's camel-cxf and camel-cxfrs components. It arises because the SOAP operation-selection headers, named operationName and operationNamespace, do not have the Camel-specific prefix and thus bypass HTTP header filtering. This allows an HTTP client to manipulate which SOAP operation is invoked by a route, potentially causing the backend service to execute an unintended operation, such as replacing a safe read operation with a destructive one. This is an example of a confused deputy or unintended proxy vulnerability.

Detection Guidance

This vulnerability involves the presence and manipulation of the HTTP headers operationName and operationNamespace in requests to Apache Camel routes that bridge HTTP consumers to CXF producers.

To detect potential exploitation attempts, monitor incoming HTTP requests for these headers being set, especially if they are not expected or come from untrusted sources.

You can use network traffic inspection tools or web server logs to search for these headers.

  • Using tcpdump or tshark to capture HTTP traffic and filter for these headers, for example: tshark -Y 'http.header contains "operationName" or http.header contains "operationNamespace"'
  • Using curl or similar tools to test if the service accepts these headers: curl -v -H 'operationName: someOperation' -H 'operationNamespace: someNamespace' http://your-camel-service/endpoint
  • Checking application logs or enabling debug logging in Apache Camel routes to see if these headers are being processed or passed through.
Mitigation Strategies

The primary recommended mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

If immediate upgrade is not possible, implement the following temporary mitigation:

  • Strip the operationName and operationNamespace headers from any untrusted ingress before the cxf: producer in your Camel routes.
  • Set the operation selection from a trusted source within the route rather than relying on inbound HTTP headers.

After upgrading, the headers are renamed to CamelCxfOperationName and CamelCxfOperationNamespace and are filtered at transport boundaries, preventing this attack vector.

Impact Analysis

This vulnerability can allow an attacker to manipulate the SOAP operation invoked on the backend service without authentication, potentially causing harmful actions such as executing destructive operations instead of safe ones. This could lead to unauthorized data modification or deletion, service disruption, or other unintended consequences depending on the backend SOAP service's operations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46592. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart