This is an automated email from the ASF dual-hosted git repository. Croway pushed a commit to branch add-cve-2026-46587-46588-49042 in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit d02b49def67395e3531e8e10c304e0f39d77646d Author: Croway <[email protected]> AuthorDate: Mon Jul 6 09:35:20 2026 +0200 Added CVE-2026-46588 --- content/security/CVE-2026-46588.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/content/security/CVE-2026-46588.md b/content/security/CVE-2026-46588.md new file mode 100644 index 00000000..3b13d2b9 --- /dev/null +++ b/content/security/CVE-2026-46588.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-46588" +date: 2026-07-03T10:00:00+02:00 +url: /security/CVE-2026-46588.html +draft: false +type: security-advisory +cve: CVE-2026-46588 +severity: MEDIUM +summary: "Camel-CouchDB: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input" +description: "The camel-couchdb component reads several Exchange headers to control its behaviour - CouchDbDatabase (the database name), CouchDbSeq (the changeset sequence number), CouchDbId (the document id), CouchDbRev (the document revision) and CouchDbMethod (the operation method). The string values of these header constants, defined in CouchDbConstants, use the CouchDb prefix rather than the standard Camel prefix used by every other Camel component (for example CamelSqlQuery, CamelM [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-couchdb Exchange header constant string values (CouchDbDatabase, CouchDbSeq, CouchDbId, CouchDbRev, CouchDbMethod) to carry the Camel prefix (CamelCouchDbDatabase, CamelCouchDbSeq, CamelCouchDbI [...] +credit: "This issue was discovered by Yu Bao from PayPal" +affected: "From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.14.8, 4.18.3 and 4.21.0 +--- + +The fix was merged on main in https://github.com/apache/camel/pull/23228 (commit f35286f9eaee6740482e6ef11f8c68d785c49567) and backported to camel-4.18.x in https://github.com/apache/camel/pull/23230 (commit 8d74cdca9befc74b49d9c52ac6a145be1d413e7d) and camel-4.14.x in https://github.com/apache/camel/pull/23231 (commit c16f7ef39849ae8819f50c959b538350b8f839e9). The issue is classified as CWE-20 (Improper Input Validation). It belongs to the same Camel message-header-injection family as C [...]
