This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit e89d918bac256ce23213f69cbe59a835ee69b982
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-46726
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-46726.md      | 17 +++++++++++++++++
 content/security/CVE-2026-46726.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-46726.md 
b/content/security/CVE-2026-46726.md
new file mode 100644
index 00000000..88a55b65
--- /dev/null
+++ b/content/security/CVE-2026-46726.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-46726"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-46726.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46726
+severity: HIGH
+summary: "Apache Camel: Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and 
Camel-Iggy: Inbound consumers map externally-supplied parameters into the 
Exchange without a HeaderFilterStrategy, allowing injection of Camel control 
headers - enabling server-side request forgery and disclosure of secrets 
through the vertx-websocket consumer"
+description: "The camel-vertx-websocket consumer mapped inbound WebSocket 
query and path parameters into the Camel Exchange header map without applying 
any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). 
Because nothing blocked the Camel header namespace, a client connecting to the 
WebSocket endpoint could set Camel-internal control headers - including 
CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query 
parameters. In a route where the WebSocket  [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix makes the affected 
consumers apply a HeaderFilterStrategy that filters the Camel header namespace 
case-insensitively on inbound mapping, so externally-supplied Camel* / camel* 
headers are no longer copied into th [...]
+credit: "This issue was discovered by Kamalpreet Singh"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated 
HeaderFilterStrategy to each affected consumer - a [...]
diff --git a/content/security/CVE-2026-46726.txt.asc 
b/content/security/CVE-2026-46726.txt.asc
new file mode 100644
index 00000000..b16ede30
--- /dev/null
+++ b/content/security/CVE-2026-46726.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-46726"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-46726.html
+draft: false
+type: security-advisory
+cve: CVE-2026-46726
+severity: HIGH
+summary: "Apache Camel: Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and 
Camel-Iggy: Inbound consumers map externally-supplied parameters into the 
Exchange without a HeaderFilterStrategy, allowing injection of Camel control 
headers - enabling server-side request forgery and disclosure of secrets 
through the vertx-websocket consumer"
+description: "The camel-vertx-websocket consumer mapped inbound WebSocket 
query and path parameters into the Camel Exchange header map without applying 
any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). 
Because nothing blocked the Camel header namespace, a client connecting to the 
WebSocket endpoint could set Camel-internal control headers - including 
CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query 
parameters. In a route where the WebSocket  [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. The fix makes the affected 
consumers apply a HeaderFilterStrategy that filters the Camel header namespace 
case-insensitively on inbound mapping, so externally-supplied Camel* / camel* 
headers are no longer copied into th [...]
+credit: "This issue was discovered by Kamalpreet Singh"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23285 (commit 
1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x 
(commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 
508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated 
HeaderFilterStrategy to each affected consumer - a [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0kACgkQ406fOAL/
+QQAIJgf/WiofpIpYaklvH5pBAucVW+SVzBoQovo1I6NtZ4aZvAUQ1Tfjb1BNtSjZ
+wbbIwJavaBRhc4an5oDWqL0Z6oBl8yRp1kx8HTx8AqtEbUPzxLEHh9kYEitsMxpG
+Bl3+hMyROt7WEkpqsv83PuiYwknVl8il4KEvp1LkXZcWmKrkGucOlQwt8C1NAWT6
+ZTU68ahWtAfKuVLrpevrFhQ9hr+QWX7KHd7YfFXj7Sx35opvrtDnn7yTUDuUzJGG
+Z3pxd6ceYAEeUgkXhtjGr/qjyj1qkaEaC9eOpsTFg3Bfbxa5RH86tfpJv9Uw0yj9
+sWvI9yHjXVkiqsegQWgUVxXf/ya7lg==
+=q1do
+-----END PGP SIGNATURE-----

Reply via email to