CVE-2026-55994
Received Received - Intake

Server-Side Request Forgery in Apache Camel Iggy Component

Vulnerability report for CVE-2026-55994, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Iggy component. The camel-iggy consumer mapped the user-headers of inbound Iggy messages into the Camel Exchange header map without applying any HeaderFilterStrategy (IggyFetchRecords copied the message user-headers straight into the Exchange). Because nothing blocked the Camel header namespace, an actor able to publish to the consumed Iggy stream/topic could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as message user-headers. In a route where the Iggy consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. This issue affects Apache Camel: from 4.17.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds a dedicated IggyHeaderFilterStrategy (and a headerFilterStrategy endpoint option) that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), restrict who can publish to the consumed Iggy stream/topic, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
apache camel 4.17.0
apache camel 4.18.3
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Apache Camel camel-iggy component where user-headers from inbound Iggy messages are mapped directly into the Camel Exchange header map without filtering. An attacker who can publish to the Iggy stream or topic can inject Camel control headers, such as CamelHttpUri, by supplying them as message user-headers.

When the Iggy consumer is connected to a downstream HTTP producer, the injected CamelHttpUri causes the server-side HTTP request to be redirected to an attacker-chosen destination, resulting in a Server-Side Request Forgery (SSRF).

Additionally, the HTTP producer resolves property placeholders embedded in the injected URI, which can expose sensitive information such as environment variables, application properties, and vault secrets to the attacker.

Impact Analysis

This vulnerability can have serious impacts including unauthorized redirection of server-side HTTP requests to attacker-controlled destinations, potentially allowing attackers to access internal services or cloud metadata endpoints.

It can also lead to exposure of sensitive information such as environment variables, application properties, and vault secrets because the HTTP producer resolves placeholders in the attacker-injected URI and sends the resolved values to the attacker.

Detection Guidance

Detection of this vulnerability involves monitoring the Iggy stream or topic for messages containing Camel control headers such as CamelHttpUri or other headers starting with Camel* or camel* that should not be present from untrusted sources.

You can inspect messages published to the Iggy stream/topic to identify if any user-headers include Camel control headers that could be injected into the Camel Exchange.

While specific commands are not provided in the available resources, a general approach would be to use logging or message inspection tools to filter or search for headers matching the pattern 'Camel*' or 'camel*' in the inbound messages.

  • Use logging or message tracing on the Iggy consumer to capture inbound message headers.
  • Search for headers named CamelHttpUri or other Camel* headers in the captured messages.
  • If using command-line tools, commands like 'grep' or 'jq' can be used to filter logs or message dumps for these headers.
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to version 4.21.0 or 4.18.3, where the vulnerability is fixed by adding a dedicated IggyHeaderFilterStrategy that filters out Camel control headers on inbound messages.

If upgrading immediately is not possible, you should:

  • Strip Camel control headers (Camel* and camel*) from inbound messages before they reach any downstream HTTP producer, for example by using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route.
  • Restrict who can publish to the consumed Iggy stream or topic to trusted actors only.
  • Avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be influenced by message headers.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55994. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart