CVE-2026-48203
Received Received - Intake

Server-Side Request Forgery in Apache Camel Solr Component

Vulnerability report for CVE-2026-48203, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel Solr component. The camel-solr producer copies Exchange message headers whose names begin with the SolrParam. prefix into the parameters of the Solr request, and headers whose names begin with the SolrField. prefix into the fields of the indexed Solr document. The prefix constants (SolrConstants.HEADER_PARAM_PREFIX / HEADER_FIELD_PREFIX) were the plain strings SolrParam. / SolrField.. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a solr: producer, any HTTP client could therefore set SolrParam.* headers to inject arbitrary Solr request parameters - including shards or stream.url, which cause the Solr server to issue server-side requests to an attacker-chosen URL (server-side request forgery, for example to an internal service or a cloud metadata endpoint), or qt to reach administrative request handlers - and set SolrField.* headers to inject arbitrary fields into indexed documents. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Solr parameters or fields via the raw header prefixes must use CamelSolrParam. / CamelSolrField. instead of SolrParam. / SolrField.. For deployments that cannot upgrade immediately, strip the SolrParam.* and SolrField.* headers from any untrusted ingress before the solr: producer, and set the required Solr parameters and fields from a trusted source in the route.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel 4.14.8
apache camel 4.15.0
apache camel 4.18.3
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Apache Camel camel-solr component and involves improper input validation and injection. Specifically, HTTP headers with names starting with SolrParam. or SolrField. bypass the usual Camel HTTP header filtering because they do not use the Camel prefix. This allows an attacker to inject arbitrary Solr query parameters or document fields by setting these headers in an inbound HTTP request.

As a result, an attacker can exploit this to perform server-side request forgery (SSRF), causing the Solr server to make requests to attacker-chosen URLs, such as internal services or cloud metadata endpoints, or access administrative request handlers without needing any credentials.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access and manipulation of Solr server behavior. An attacker can inject arbitrary parameters or fields into Solr requests, potentially altering indexed data or querying internal services.

The most critical impact is the possibility of server-side request forgery (SSRF), where the Solr server is tricked into making requests to internal or protected resources, which can lead to information disclosure, unauthorized access to internal systems, or further exploitation within the network.

Detection Guidance

This vulnerability involves HTTP headers with the prefixes SolrParam. and SolrField. being passed unchecked into Apache Camel's Solr component, allowing injection of arbitrary Solr parameters or fields.

To detect exploitation attempts on your network or system, monitor incoming HTTP requests for headers starting with SolrParam. or SolrField. that are forwarded to the Solr producer component.

You can use network traffic inspection tools or log analysis to identify such headers. For example, using tcpdump or Wireshark to capture HTTP traffic and filter for these headers.

  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'SolrParam\.|SolrField\.'
  • Use application logs or HTTP access logs to search for headers starting with SolrParam. or SolrField.
  • If you have access to the Camel route logs or debugging, check for Exchange message headers containing SolrParam.* or SolrField.* prefixes.
Mitigation Strategies

The recommended immediate mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

If upgrading immediately is not possible, you should strip any SolrParam.* and SolrField.* headers from untrusted ingress traffic before the solr: producer in your Camel routes.

Additionally, after upgrading, update your routes to use the new header prefixes CamelSolrParam. and CamelSolrField. instead of SolrParam. and SolrField..

  • Upgrade Apache Camel to version 4.14.8, 4.18.3, or 4.21.0.
  • Implement header filtering in your routes to remove SolrParam.* and SolrField.* headers from untrusted sources.
  • Modify routes to use CamelSolrParam. and CamelSolrField. prefixes for setting Solr parameters and fields.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48203. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart