This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit b071de76d699132ac99c8a4500be772952e4066c Author: Andrea Cosentino <[email protected]> AuthorDate: Thu Jun 18 10:47:05 2026 +0200 Focus CVE-2026-46726 on camel-vertx-websocket only Now that camel-atmosphere-websocket and camel-iggy have dedicated advisories (CVE-2026-55993, CVE-2026-55994), narrow CVE-2026-46726 to camel-vertx-websocket: trim the summary (title) and description to that single component, focus the fix note on VertxWebsocketHeaderFilterStrategy, and replace the per-component scope note with cross-references to the two sibling advisories. The .txt.asc is re-signed. The sibling advisories were reviewed and already single-component with matching cros [...] Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-46726.md | 6 +++--- content/security/CVE-2026-46726.txt.asc | 22 +++++++++++----------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/content/security/CVE-2026-46726.md b/content/security/CVE-2026-46726.md index 38fd63af..c368100e 100644 --- a/content/security/CVE-2026-46726.md +++ b/content/security/CVE-2026-46726.md @@ -6,12 +6,12 @@ draft: false type: security-advisory cve: CVE-2026-46726 severity: HIGH -summary: "Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" -description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] +summary: "Camel-Vertx-Websocket: The inbound consumer maps externally-supplied WebSocket query and path parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer" +description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into th [...] credit: "This issue was discovered by Kamalpreet Singh" affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." fixed: 4.14.8, 4.18.3 and 4.21.0 --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated VertxWebsocketHeaderFilterStrategy and a headerFil [...] diff --git a/content/security/CVE-2026-46726.txt.asc b/content/security/CVE-2026-46726.txt.asc index 7749e26a..60b43a0e 100644 --- a/content/security/CVE-2026-46726.txt.asc +++ b/content/security/CVE-2026-46726.txt.asc @@ -9,23 +9,23 @@ draft: false type: security-advisory cve: CVE-2026-46726 severity: HIGH -summary: "Camel-Vertx-Websocket, Camel-Atmosphere-Websocket and Camel-Iggy: Inbound consumers map externally-supplied parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets through the vertx-websocket consumer" -description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] +summary: "Camel-Vertx-Websocket: The inbound consumer maps externally-supplied WebSocket query and path parameters into the Exchange without a HeaderFilterStrategy, allowing injection of Camel control headers - enabling server-side request forgery and disclosure of secrets when bridged to an HTTP producer" +description: "The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (VertxWebsocketConsumer.populateExchangeHeaders()). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket [...] mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the affected consumers apply a HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into th [...] credit: "This issue was discovered by Kamalpreet Singh" affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." fixed: 4.14.8, 4.18.3 and 4.21.0 - --- -The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated HeaderFilterStrategy to each affected consumer - a [...] +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23532 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23285 (commit 1e776238202edb9d98972cff558e12b53e499647) and backported to camel-4.18.x (commit 88c43e3af36013585b5483c671950f30e5833a5f) and camel-4.14.x (commit 508fc15deca97ba373eb3881a00e220eab9ec428). The fix adds a dedicated VertxWebsocketHeaderFilterStrategy and a headerFil [...] -----BEGIN PGP SIGNATURE----- -iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozrAoACgkQ406fOAL/ -QQBrTAf/al2aZxYukhrMwEBny1REGyhlNf1o7IcWExkk1XgT6XAH2ZvFLRp8LuHm -nJvptZMY+0Y8pOaEfi0n45wkiuSNCc13zHrV8FAJrML4M2+Tb3wXl/MXLXrDJo34 -5E/fTkEh93jT/DIfYAp1oIT9Ma6pjH6MhAyJ7jyN8XveRgT/2urAE/ebxaWoKuWy -tvBaBD/2mOQfNKzBWTteFTN6PCyedyw86juERZUyIuN3fKtstEvIk7KUp2n9FC1Q -wawpMTCuN5m0BX0EcFgeijqmTD3FoUzd2d0M/k+2iF5xdE31FruTvjYKDSPjcaoF -d1FWV3kzOi6vEaZG4mKpXJvDJgq5DA== -=em6K +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmozsGoACgkQ406fOAL/ +QQDWkAf/bG5bSlItv+LPhqZ9AGpXrB4SO17WNvemLDCxgnlQpR02RW+DzGr73h1+ +V6r0Ic+frI02u3OvGbtwJLrciz4FsLEmdRLaePgmWyu6r5TIjAvMfud+EU++oyPj +polc/3hXOFj3dUKQx/gZTTJh/hjDfh2lqKCUQH0v2i+9ya/yRiB2MA6S7lVKU2uI +XbPPR0jZybzvtr9U0a7dXSs1tUFAi/fzkP9Aafa5KsHHsDLOGfcVGf0wC8ckLPXZ +pGTGJdivAzBc8TbL45k4tcHXZ2S5d+SeBFAQ7KsMH/X7d5d6vgRbcxGhhOhwkb/t +V1dnhli9I6mvjCSU1llE9j+ktkz22g== +=R382 -----END PGP SIGNATURE-----
