CVE-2026-48204
Received Received - Intake

Improper Input Validation in Apache Camel

Vulnerability report for CVE-2026-48204, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs component. The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the default. The control-header constants (GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and gridfs.fileid. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a mongodb-gridfs: producer with no explicit operation, any HTTP client could therefore set the gridfs.operation header to override the route's intended operation - switching, for example, a file upload to remove (deleting a file identified by the attacker-supplied gridfs.objectid), listAll (enumerating every file in the bucket) or findOne (reading a file) - and supply a gridfs.metadata value that is parsed as a MongoDB document, enabling NoSQL operator injection. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or metadata via the raw header names must use CamelGridFsOperation / CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / CamelGridFsFileId instead of the gridfs.* names. For deployments that cannot upgrade immediately, set an explicit operation on the mongodb-gridfs: endpoint so the operation is not taken from a header, and strip the gridfs.* headers from any untrusted ingress before the producer.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel 4.14.8
apache camel 4.15.0
apache camel 4.18.3
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48204 is a security vulnerability in the Apache Camel camel-mongodb-gridfs component. It arises because certain header names used to control GridFS operations (like gridfs.operation, gridfs.objectid, etc.) do not have the Camel prefix, allowing them to bypass HTTP header filtering. This means an attacker can send specially crafted HTTP requests that manipulate these headers to override the intended GridFS operation.

As a result, an attacker can perform unauthorized actions such as deleting files, listing all files, reading files, or injecting malicious NoSQL queries by supplying manipulated metadata. This happens when the endpoint's operation parameter is not explicitly set, and the route bridges an HTTP consumer to the mongodb-gridfs producer.

Impact Analysis

This vulnerability can have serious impacts including unauthorized file deletion, unauthorized access to files, and NoSQL injection attacks. An attacker can exploit the vulnerability to delete files by specifying a file ID, enumerate all files in the GridFS bucket, or read files without proper authorization.

Because no credentials are required when the bridging consumer is unauthenticated, the attacker can perform these actions without authentication, potentially leading to data loss, data leakage, or compromise of the database integrity.

Detection Guidance

Detection of this vulnerability involves monitoring HTTP requests that interact with the camel-mongodb-gridfs component, specifically looking for the presence of untrusted HTTP headers such as gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize, and gridfs.fileid.

You can inspect incoming HTTP requests to see if these headers are being set, which could indicate an attempt to exploit the vulnerability.

For example, using command-line tools like curl or tcpdump to capture and analyze HTTP traffic, or using grep to search logs for these header names, may help detect suspicious activity.

  • Use tcpdump or Wireshark to capture HTTP traffic and filter for headers containing 'gridfs.operation' or related header names.
  • Search application or proxy logs for occurrences of 'gridfs.operation' or other gridfs.* headers using commands like: grep -i 'gridfs.operation' /path/to/logfile
  • Use curl to simulate requests with these headers to test if the system is vulnerable, for example: curl -H 'gridfs.operation: remove' http://yourserver/endpoint
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to a fixed version where the vulnerability is resolved.

  • Upgrade to Apache Camel version 4.21.0 or later.
  • If using the 4.14.x LTS release stream, upgrade to version 4.14.8.
  • If using the 4.18.x release stream, upgrade to version 4.18.3.

After upgrading, ensure that routes use the Camel-prefixed header names (CamelGridFsOperation, CamelGridFsObjectId, CamelGridFsMetadata, CamelGridFsChunkSize, CamelGridFsFileId) instead of the vulnerable gridfs.* headers.

For deployments that cannot upgrade immediately, set an explicit operation on the mongodb-gridfs endpoint to prevent operation selection from headers, and strip any untrusted gridfs.* headers from incoming HTTP requests.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48204. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart