This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit cc2ec06f942df0eedf1267d42d8e6567311c7bfe
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:06 2026 +0200

    Added CVE-2026-49098
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-49098.md      | 17 +++++++++++++++++
 content/security/CVE-2026-49098.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-49098.md 
b/content/security/CVE-2026-49098.md
new file mode 100644
index 00000000..5dea81c4
--- /dev/null
+++ b/content/security/CVE-2026-49098.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-49098"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49098.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49098
+severity: MEDIUM
+summary: "Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other 
kafka.*) Exchange header constants used non-Camel-prefixed names that bypass 
the upstream HTTP header filter, allowing an HTTP client to redirect Kafka 
messages to an arbitrary topic"
+description: "The camel-kafka producer can override its configured target 
topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: 
KafkaProducer.evaluateTopic() returns the header value in preference to the 
topic configured on the endpoint. The control-header constants in 
KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, 
OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = 
kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own 
Kafk [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that set 
or read Kafka headers via the raw header names must use the CamelKafka* names 
(for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old 
kafka.* values. For deployments  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23584 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23602 (commit 
f8914a219ad473811c01562b5b85e83ba583b583) and backported to camel-4.18.x 
(commit d4c6fd85358b65d99dfe26722278eaf35fd0029c) and camel-4.14.x (commit 
93cd4c4e1d1619d71aa9b56c3850d4d6ccd74375). The fix renames the 12 camel-kafka 
Exchange header constant values to the C [...]
diff --git a/content/security/CVE-2026-49098.txt.asc 
b/content/security/CVE-2026-49098.txt.asc
new file mode 100644
index 00000000..f2ab508b
--- /dev/null
+++ b/content/security/CVE-2026-49098.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-49098"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-49098.html
+draft: false
+type: security-advisory
+cve: CVE-2026-49098
+severity: MEDIUM
+summary: "Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other 
kafka.*) Exchange header constants used non-Camel-prefixed names that bypass 
the upstream HTTP header filter, allowing an HTTP client to redirect Kafka 
messages to an arbitrary topic"
+description: "The camel-kafka producer can override its configured target 
topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: 
KafkaProducer.evaluateTopic() returns the header value in preference to the 
topic configured on the endpoint. The control-header constants in 
KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, 
OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = 
kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own 
Kafk [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.14.x LTS releases stream, then they are 
suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, 
then they are suggested to upgrade to 4.18.3. After upgrading, routes that set 
or read Kafka headers via the raw header names must use the CamelKafka* names 
(for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old 
kafka.* values. For deployments  [...]
+credit: "This issue was discovered by Yu Bao from PayPal"
+affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 
before 4.21.0."
+fixed: 4.14.8, 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23584 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23602 (commit 
f8914a219ad473811c01562b5b85e83ba583b583) and backported to camel-4.18.x 
(commit d4c6fd85358b65d99dfe26722278eaf35fd0029c) and camel-4.14.x (commit 
93cd4c4e1d1619d71aa9b56c3850d4d6ccd74375). The fix renames the 12 camel-kafka 
Exchange header constant values to the C [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/
+QQAt3wgAiRhZNMcqGhsNaH9HVoItAlLFICq7uVMJr9IT5LP4m8DxFiV+8oTiqVug
+lA875ipallERiQ6M519jOpjZsBoxUCoS7KSnE1lI2M1R7Evtzp+U0Rv5ybk568xx
+4d+yH2XEmmm9Cz89/oeDSbjz90cY5rYE/K0fB4XRC1pJt4n6YvxtHteyhZtj+nQE
+WoHSbWOLfZi+AUAGVGZbL5yeZLyR+g7uvalc4VZ5kEIInlHOjxy2eeKJMIdFUip0
+jtspCK/qgVK71XfS6eCiRh8HssiB7UjtvuaO7cCNelmx1+aBuyQ2HWxwazSloYt4
+VmTEw1IOPOWAiadJFG4Ps8s2BhZbjg==
+=dgKG
+-----END PGP SIGNATURE-----

Reply via email to