CVE-2026-49086
Received Received - Intake

Improper Input Validation in Apache Camel DAPR Component

Vulnerability report for CVE-2026-49086, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes from one Dapr Pub/Sub topic and republishes to another (for example from('dapr-pubsub:p:t').to('dapr-pubsub:p:other')), an actor able to publish a message to the subscribed topic could set the CloudEvent's pub/sub-name and topic to values of their choosing and cause the re-published message to be delivered to an arbitrary Dapr Pub/Sub component and topic instead of the configured destination - redirecting or exfiltrating the message and bypassing the route's intended routing and any topic-level access controls in the underlying broker. Exploitation requires the ability to publish to the topic the route subscribes to; no other authentication or user interaction is needed. This issue affects Apache Camel: from 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelDaprPubSubName', 'CamelDaprTopic')), and restrict who can publish to the subscribed Dapr Pub/Sub topic so that only trusted producers can send to it.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel From 4.12.0 (inc) to 4.14.8 (exc)
apache camel From 4.15.0 (inc) to 4.18.3 (exc)
apache camel From 4.19.0 (inc) to 4.21.0 (exc)
apache camel 4.14.8
apache camel 4.18.3
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-441 The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Apache Camel camel-dapr component, specifically in the Dapr Pub/Sub consumer. The consumer copies two fields from each inbound CloudEventβ€”the pub/sub component name and the topicβ€”into routing headers that are used by the producer to determine where to send messages.

Because these headers can override the intended destination, an attacker who can publish messages to the subscribed topic can manipulate these headers to redirect the republished message to any arbitrary Dapr Pub/Sub component and topic. This bypasses the route's intended routing and any topic-level access controls in the underlying broker.

Exploitation requires only the ability to publish to the subscribed topic; no additional authentication or user interaction is needed.

Impact Analysis

This vulnerability can allow an attacker to redirect or exfiltrate messages by manipulating routing headers, causing messages to be delivered to unintended Dapr Pub/Sub components and topics.

As a result, sensitive or critical data could be sent to unauthorized destinations, potentially leading to data leakage or disruption of message flows.

Since no additional authentication is required beyond the ability to publish to the subscribed topic, the risk is significant if publishing permissions are not tightly controlled.

Mitigation Strategies

To mitigate this vulnerability immediately, users should upgrade Apache Camel to the fixed versions: 4.14.8, 4.18.3, or 4.21.0 depending on their release stream.

If upgrading is not possible right away, a temporary mitigation is to remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example, by using removeHeaders('CamelDaprPubSubName', 'CamelDaprTopic')).

Additionally, restrict who can publish to the subscribed Dapr Pub/Sub topic so that only trusted producers have publishing permissions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49086. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart