CVE-2026-49097
Received Received - Intake

Header Injection in Apache Camel IRC Component

Vulnerability report for CVE-2026-49097, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache Camel IRC component. The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into an irc: producer, any HTTP client could therefore set the irc.sendTo header and redirect a message that the route intended for a configured channel to an arbitrary IRC channel or user - exfiltrating the message content to an attacker-chosen nickname, leaking it into a public channel, or delivering messages that appear to come from the bot. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the irc.* headers from any untrusted ingress before the irc: producer (for example removeHeaders('irc.*') at the start of the route), and set the IRC destination from a trusted source.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel to 4.14.8 (inc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Apache Camel camel-irc component and involves improper input validation and neutralization of special elements, specifically header injection.

The issue arises because certain IRC-related Exchange headers (like irc.sendTo) do not have the Camel prefix and thus bypass HTTP header filtering. This allows an HTTP client to manipulate these headers and redirect IRC messages to arbitrary channels or users.

As a result, messages intended for a configured IRC channel can be sent to attacker-chosen destinations, potentially leaking message content or impersonating the bot without requiring credentials if the HTTP consumer is unauthenticated.

Impact Analysis

This vulnerability can impact you by allowing unauthorized parties to redirect IRC messages to arbitrary channels or users.

This can lead to sensitive message content being leaked to unintended recipients or public channels.

Additionally, attackers can send messages that appear to come from the bot, potentially causing misinformation or unauthorized commands to be executed.

No authentication is required if the HTTP consumer bridging to IRC is unauthenticated, increasing the risk.

Detection Guidance

Detection of this vulnerability involves monitoring for the presence of non-Camel-prefixed IRC headers such as irc.sendTo in HTTP requests that are bridged into the camel-irc producer. These headers allow unauthorized redirection of IRC messages.

You can inspect HTTP requests or logs for headers named irc.sendTo, irc.target, irc.messageType, irc.user.*, irc.num, or irc.value being passed into the Exchange. Their presence from untrusted sources indicates potential exploitation.

Commands to detect such headers depend on your environment, but for example, if you have access to HTTP request logs or can capture traffic, you might use tools like tcpdump or Wireshark to filter HTTP headers containing 'irc.sendTo'.

  • Using tcpdump to capture HTTP headers containing 'irc.sendTo': tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'irc.sendTo'
  • Using grep on HTTP server logs to find irc.* headers: grep -i 'irc.sendTo' /path/to/http/access.log

Additionally, review your Apache Camel routes for usage of raw irc.* headers in HTTP to IRC bridging routes, as these indicate vulnerable configurations.

Mitigation Strategies

The primary mitigation is to upgrade Apache Camel to a fixed version: 4.21.0 or later, or to 4.14.8 or 4.18.3 if you are on the respective LTS streams.

After upgrading, update your routes to replace raw IRC header names (e.g., irc.sendTo) with the new Camel-prefixed headers (e.g., CamelIrcSendTo) to ensure proper filtering.

If immediate upgrade is not possible, strip all irc.* headers from any untrusted ingress before the IRC producer in your routes. For example, use removeHeaders('irc.*') at the start of the route.

Set the IRC destination from a trusted source rather than allowing it to be controlled by inbound HTTP headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49097. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart