CVE-2026-49042
Received Received - Intake

Improper Input Validation in Apache Camel

Vulnerability report for CVE-2026-49042, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.8.0
apache camel 4.18.2
apache camel 4.19.0
apache camel 4.20.0
apache camel to 4.18.3 (inc)
apache camel to 4.21.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49042 is a medium-severity improper input validation vulnerability in Apache Camel affecting specific components such as camel-langchain4j-tools, camel-langchain4j-agent, and camel-spring-ai-tools.

The vulnerability allows an attacker who can influence Large Language Model (LLM) output to inject arbitrary Exchange headers via tool call arguments. This includes the ability to inject Camel-internal control headers like CamelFileName or CamelHttpUri, which can alter the behavior of downstream routes.

The issue exists in Apache Camel versions from 4.8.0 through 4.18.2 and from 4.19.0 through 4.20.0. The vulnerability is fixed by filtering tool argument field names against declared parameters in the tool specification, allowing only matching fields to be set as Exchange headers while logging and skipping undeclared fields.

Impact Analysis

This vulnerability can impact you by allowing an attacker to manipulate the internal behavior of Apache Camel routes through injection of arbitrary headers.

By injecting control headers such as CamelFileName or CamelHttpUri, an attacker could alter downstream route behavior, potentially causing unexpected processing, data leakage, or disruption of service.

If an attacker can influence the output of LLMs used in your system, they could exploit this vulnerability to affect the flow and handling of messages within your Apache Camel integration.

Detection Guidance

This vulnerability involves improper input validation allowing injection of arbitrary Exchange headers via tool call arguments in Apache Camel components. Detection involves monitoring for unexpected or unauthorized Exchange headers such as CamelFileName or CamelHttpUri being set in your Camel routes.

Since the vulnerability is related to manipulation of headers through tool arguments, you can detect it by inspecting logs or traffic for unusual header values or by auditing the tool call arguments against declared parameter schemas.

No specific commands are provided in the available resources. However, general detection steps could include:

  • Enable detailed logging in Apache Camel to capture Exchange headers and tool call arguments.
  • Use log analysis tools or scripts to search for unexpected headers like CamelFileName or CamelHttpUri.
  • Audit your Camel routes and tool specifications to verify that only declared parameters are accepted.
Mitigation Strategies

The primary mitigation is to upgrade Apache Camel to version 4.18.3 or 4.21.0, depending on your release stream, as these versions contain the fix for this vulnerability.

If immediate upgrade is not possible, you can mitigate the risk by:

  • Stripping untrusted headers after tool invocation to prevent malicious headers from affecting downstream routes.
  • Explicitly declaring parameter schemas for tools to ensure only expected fields are accepted and set as Exchange headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart