CVE-2026-46726
Received Received - Intake

Server-Side Request Forgery in Apache Camel Vertx Websocket

Vulnerability report for CVE-2026-46726, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Vertx Websocket component. The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel 4.14.8
apache camel 4.15.0
apache camel 4.18.3
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46726 is a vulnerability in the Apache Camel camel-vertx-websocket component where inbound WebSocket query and path parameters are mapped into the Camel Exchange header map without proper filtering. This allows an attacker to inject Camel-internal control headers, such as CamelHttpUri, by supplying them as query parameters.

Because these headers are not blocked, an attacker can manipulate server-side HTTP requests to redirect them to arbitrary destinations, including internal services or cloud metadata endpoints, resulting in server-side request forgery (SSRF).

Additionally, the HTTP producer resolves property placeholders in the attacker-controlled URI, which can expose sensitive information like environment variables, application properties, and vault secrets to the attacker.

This vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The root cause is the lack of a HeaderFilterStrategy that filters Camel headers during inbound mapping.

Impact Analysis

This vulnerability can allow an unauthenticated remote attacker to perform server-side request forgery (SSRF), redirecting server-side HTTP requests to attacker-chosen destinations, including internal services or cloud metadata endpoints.

It can also lead to exposure of sensitive information such as environment variables, application properties, and vault secrets because the HTTP producer resolves property placeholders in the attacker-controlled URI.

If the WebSocket endpoint is exposed without authentication, the attacker can exploit this vulnerability remotely without any credentials.

Detection Guidance

This vulnerability can be detected by monitoring WebSocket endpoints for incoming query or path parameters that include Camel-internal control headers such as CamelHttpUri or headers starting with Camel* or camel*. An attacker may exploit this by sending specially crafted WebSocket requests with these headers as query parameters.

To detect potential exploitation attempts, you can inspect WebSocket traffic for suspicious query parameters or headers that attempt to inject Camel control headers.

While no specific commands are provided in the resources, general detection steps include:

  • Capture and analyze WebSocket traffic using tools like Wireshark or tcpdump to look for query parameters containing Camel* or camel* headers.
  • Use application logs to identify WebSocket requests that include unexpected headers or query parameters that map to Camel internal headers.
  • If you have access to the Camel routes, add logging or debugging to inspect inbound WebSocket headers for presence of Camel control headers.
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to a fixed version: 4.21.0, 4.18.3, or 4.14.8 depending on your release stream.

If upgrading is not immediately possible, apply the following workarounds:

  • Strip Camel control headers from inbound WebSocket messages before they reach any downstream HTTP producer by removing headers matching 'Camel*' and 'camel*' at the start of the route.
  • Require authentication on the WebSocket endpoint to prevent unauthenticated remote attackers from exploiting the vulnerability.
  • Avoid bridging an untrusted WebSocket consumer directly into an HTTP producer whose target URI can be controlled via message headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46726. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart