This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit cc2ec06f942df0eedf1267d42d8e6567311c7bfe Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:06 2026 +0200 Added CVE-2026-49098 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-49098.md | 17 +++++++++++++++++ content/security/CVE-2026-49098.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-49098.md b/content/security/CVE-2026-49098.md new file mode 100644 index 00000000..5dea81c4 --- /dev/null +++ b/content/security/CVE-2026-49098.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-49098" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49098.html +draft: false +type: security-advisory +cve: CVE-2026-49098 +severity: MEDIUM +summary: "Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic" +description: "The camel-kafka producer can override its configured target topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: KafkaProducer.evaluateTopic() returns the header value in preference to the topic configured on the endpoint. The control-header constants in KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own Kafk [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set or read Kafka headers via the raw header names must use the CamelKafka* names (for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old kafka.* values. For deployments [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23584 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23602 (commit f8914a219ad473811c01562b5b85e83ba583b583) and backported to camel-4.18.x (commit d4c6fd85358b65d99dfe26722278eaf35fd0029c) and camel-4.14.x (commit 93cd4c4e1d1619d71aa9b56c3850d4d6ccd74375). The fix renames the 12 camel-kafka Exchange header constant values to the C [...] diff --git a/content/security/CVE-2026-49098.txt.asc b/content/security/CVE-2026-49098.txt.asc new file mode 100644 index 00000000..f2ab508b --- /dev/null +++ b/content/security/CVE-2026-49098.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-49098" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-49098.html +draft: false +type: security-advisory +cve: CVE-2026-49098 +severity: MEDIUM +summary: "Apache Camel: Camel-Kafka: The kafka.OVERRIDE_TOPIC (and other kafka.*) Exchange header constants used non-Camel-prefixed names that bypass the upstream HTTP header filter, allowing an HTTP client to redirect Kafka messages to an arbitrary topic" +description: "The camel-kafka producer can override its configured target topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: KafkaProducer.evaluateTopic() returns the header value in preference to the topic configured on the endpoint. The control-header constants in KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own Kafk [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set or read Kafka headers via the raw header names must use the CamelKafka* names (for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old kafka.* values. For deployments [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23584 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23602 (commit f8914a219ad473811c01562b5b85e83ba583b583) and backported to camel-4.18.x (commit d4c6fd85358b65d99dfe26722278eaf35fd0029c) and camel-4.14.x (commit 93cd4c4e1d1619d71aa9b56c3850d4d6ccd74375). The fix renames the 12 camel-kafka Exchange header constant values to the C [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ +QQAt3wgAiRhZNMcqGhsNaH9HVoItAlLFICq7uVMJr9IT5LP4m8DxFiV+8oTiqVug +lA875ipallERiQ6M519jOpjZsBoxUCoS7KSnE1lI2M1R7Evtzp+U0Rv5ybk568xx +4d+yH2XEmmm9Cz89/oeDSbjz90cY5rYE/K0fB4XRC1pJt4n6YvxtHteyhZtj+nQE +WoHSbWOLfZi+AUAGVGZbL5yeZLyR+g7uvalc4VZ5kEIInlHOjxy2eeKJMIdFUip0 +jtspCK/qgVK71XfS6eCiRh8HssiB7UjtvuaO7cCNelmx1+aBuyQ2HWxwazSloYt4 +VmTEw1IOPOWAiadJFG4Ps8s2BhZbjg== +=dgKG +-----END PGP SIGNATURE-----
