CVE-2026-48205
Received Received - Intake

Server-Side Request Forgery in Apache Camel DNS Component

Vulnerability report for CVE-2026-48205, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component. The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a dns: producer, any HTTP client could therefore set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server - a server-side request forgery via DNS, through which the attacker observes the queried name and can return poisoned responses - and set the dns.name / dns.domain headers to resolve arbitrary internal hostnames, disclosing whether they exist (internal network reconnaissance). No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For deployments that cannot upgrade immediately, strip the dns.* and term headers from any untrusted ingress before the dns: producer, and set the DNS server and lookup parameters from a trusted source in the route.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel to 4.14.8 (exc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-48205 is a Server-Side Request Forgery (SSRF) vulnerability in the Apache Camel camel-dns component caused by improper input validation.

The vulnerability arises because certain DNS operation parameters are read from HTTP headers that do not have the Camel-specific prefix, allowing them to bypass HTTP header filtering.

An attacker can manipulate these headers (such as dns.server, dns.name, dns.domain) in an HTTP request to make the system perform DNS queries against an attacker-controlled DNS server, enabling DNS query redirection, internal network reconnaissance, and DNS response poisoning.

No authentication is required if the HTTP consumer is unauthenticated, making exploitation easier.

Impact Analysis

This vulnerability can impact you by allowing an attacker to perform server-side request forgery via DNS, which can lead to several security risks.

  • The attacker can redirect DNS queries to a malicious DNS server they control.
  • They can observe the DNS queries made by your system, potentially leaking sensitive information about internal hostnames.
  • The attacker can poison DNS responses, potentially causing your system to resolve incorrect or malicious IP addresses.
  • Internal network reconnaissance can be performed, revealing the existence of internal hosts.

These impacts can lead to further attacks, data exposure, or disruption of services.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to your Apache Camel routes that bridge HTTP consumers to dns: producers for the presence of suspicious headers named dns.server, dns.name, dns.domain, dns.type, dns.class, or term.

You can inspect incoming HTTP requests for these headers since they are not Camel-prefixed and may indicate attempts to exploit the SSRF vulnerability.

For example, using command-line tools like curl or tcpdump to capture and analyze HTTP headers can help detect exploitation attempts.

  • Use tcpdump or Wireshark to capture HTTP traffic and filter for headers containing dns.server or dns.name.
  • Use curl to send test requests with suspicious headers to your HTTP endpoints to verify if they are accepted, e.g.:
  • curl -v -H "dns.server: attacker-controlled-dns" -H "dns.name: example.internal" http://your-camel-http-endpoint

If such headers are accepted and influence DNS queries, the system is vulnerable.

Mitigation Strategies

The primary mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

After upgrading, update your routes to use the Camel-prefixed header names (CamelDnsServer, CamelDnsName, CamelDnsDomain, CamelDnsType, CamelDnsClass, CamelDnsTerm) instead of the vulnerable dns.* and term headers.

If immediate upgrade is not possible, strip the dns.* and term headers from any untrusted inbound HTTP requests before they reach the dns: producer.

Additionally, configure your routes to set DNS server and lookup parameters from trusted sources rather than from inbound HTTP headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48205. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart