This is an automated email from the ASF dual-hosted git repository.
Croway pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new 6bfa82f7 Fix HTML validation: escape angle brackets in CVE-2026-49042
and re-sign
6bfa82f7 is described below
commit 6bfa82f75cda53970fea33a6ab22489153691e34
Author: Croway <[email protected]>
AuthorDate: Mon Jul 6 10:34:58 2026 +0200
Fix HTML validation: escape angle brackets in CVE-2026-49042 and re-sign
---
content/security/CVE-2026-49042.md | 2 +-
content/security/CVE-2026-49042.txt.asc | 30 +++++++++++++++---------------
2 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/content/security/CVE-2026-49042.md
b/content/security/CVE-2026-49042.md
index 36d4dd29..b41a15a0 100644
--- a/content/security/CVE-2026-49042.md
+++ b/content/security/CVE-2026-49042.md
@@ -8,7 +8,7 @@ cve: CVE-2026-49042
severity: MEDIUM
summary: "Camel-Langchain4j-Tools: Tool argument headers are not filtered
against declared parameters, allowing an LLM to inject arbitrary Exchange
headers via tool call arguments"
description: "Improper Input Validation vulnerability in Apache Camel. The
camel-langchain4j-tools, camel-langchain4j-agent and camel-spring-ai-tools
producers set all JSON field names returned by the LLM in a tool-call response
as Exchange message headers without filtering them against the tool's declared
parameter schema. An attacker who can influence the LLM output (for example via
prompt injection) can include arbitrary field names in the tool arguments JSON
- including Camel-interna [...]
-mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes
the issue. If users are on the 4.18.x releases stream, then they are suggested
to upgrade to 4.18.3. After upgrading, only tool argument fields that match a
declared parameter.<name> in the tool specification are set as Exchange
headers. Tools defined without parameter declarations will have zero argument
headers set from LLM tool calls - this is a breaking change for routes that
rely on implicit argument passth [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes
the issue. If users are on the 4.18.x releases stream, then they are suggested
to upgrade to 4.18.3. After upgrading, only tool argument fields that match a
declared parameter in the tool specification are set as Exchange headers. Tools
defined without parameter declarations will have zero argument headers set from
LLM tool calls - this is a breaking change for routes that rely on implicit
argument passthrough; [...]
credit: "This issue was discovered by Yu Bao from PayPal"
affected: "From 4.8.0 before 4.18.3, from 4.19.0 before 4.21.0."
fixed: 4.18.3 and 4.21.0
diff --git a/content/security/CVE-2026-49042.txt.asc
b/content/security/CVE-2026-49042.txt.asc
index 72a45424..a9a09264 100644
--- a/content/security/CVE-2026-49042.txt.asc
+++ b/content/security/CVE-2026-49042.txt.asc
@@ -11,7 +11,7 @@ cve: CVE-2026-49042
severity: MEDIUM
summary: "Camel-Langchain4j-Tools: Tool argument headers are not filtered
against declared parameters, allowing an LLM to inject arbitrary Exchange
headers via tool call arguments"
description: "Improper Input Validation vulnerability in Apache Camel. The
camel-langchain4j-tools, camel-langchain4j-agent and camel-spring-ai-tools
producers set all JSON field names returned by the LLM in a tool-call response
as Exchange message headers without filtering them against the tool's declared
parameter schema. An attacker who can influence the LLM output (for example via
prompt injection) can include arbitrary field names in the tool arguments JSON
- including Camel-interna [...]
-mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes
the issue. If users are on the 4.18.x releases stream, then they are suggested
to upgrade to 4.18.3. After upgrading, only tool argument fields that match a
declared parameter.<name> in the tool specification are set as Exchange
headers. Tools defined without parameter declarations will have zero argument
headers set from LLM tool calls - this is a breaking change for routes that
rely on implicit argument passth [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes
the issue. If users are on the 4.18.x releases stream, then they are suggested
to upgrade to 4.18.3. After upgrading, only tool argument fields that match a
declared parameter in the tool specification are set as Exchange headers. Tools
defined without parameter declarations will have zero argument headers set from
LLM tool calls - this is a breaking change for routes that rely on implicit
argument passthrough; [...]
credit: "This issue was discovered by Yu Bao from PayPal"
affected: "From 4.8.0 before 4.18.3, from 4.19.0 before 4.21.0."
fixed: 4.18.3 and 4.21.0
@@ -20,18 +20,18 @@ fixed: 4.18.3 and 4.21.0
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23621 refers to
the various commits that resolved the issue, and has more details. The fix was
merged on main in https://github.com/apache/camel/pull/23535 (commit
7e65891f77aee72dc24c8099e9ba48a93962042b) and backported to camel-4.18.x in
https://github.com/apache/camel/pull/23551 (commit
5d0028f6bc7a70556dc1d408b1b6cadb59e1842d). The fix adds parameter-schema
filtering to three components: LangChain4jToolsProducer and LangCha [...]
-----BEGIN PGP SIGNATURE-----
-iQJPBAEBCgA5FiEEXhypCOH+Pe54HVUTBwmP38yc5+YFAmpLW74bFIAAAAAABAAO
-bWFudTIsMi41KzEuMTIsMCwzAAoJEAcJj9/MnOfmXHUP+wYlqxJ00U/bAQagxCIu
-8zNQiFjz2J0N6wGGE9RaoUC/kAo3Y09TQYy04EbqpEGgT8bUUV5N4Ymt+i566K1j
-6pgaMHbhTz3UbqiWQCo8n/VxukS1ChTnuWig1mm2hBrnQ2fKRISBZrZ8VnP1Fs0N
-dlLwwQCbJjsD82lKDPSgYyAXacXKfy2dGGZkgierqpMX6AOeT0V8gyKzt31d7Hag
-LcHNUWUNB2BqolJdU/iDh3RMq2eN53ACpKQAz3aN7EHWl1TTr35Ge0lhzTGFO5cW
-4Iigc3p8J8PFgV/LEy3RuQ4Qmm7TRKGwjFMb2H5HaH4R6H6ijz31fVtkny8y43iN
-2PaMIoY3KsceUIoe4QfGYD6qQlJTeRk3UkiGSxX+p3tO1AS029aqyhr7vtM+FVUS
-aIcAUZ0/ZzkZdFsD7KfnyQJPHn0fjbI1UMgnIzspACw2+T8SZa0229DuxovLxSxZ
-4/XwHg2yNKYypELsjwFt1y8noPVqh58W1gpzlODYpWX/jtygid2r9f0c4ZIgHvox
-layYR2IqHsp+wtfTfFZEdhAdYSamPC9ulJ1KeSUT2smMBSDTi40wnqmIJgnCS8o1
-SQyeHarhlnN2Megb8ZvwVpnPJQuhnb6VcNlVZcRg09AlHdEep4oR/qAafcrHYuuE
-f1ST/jrT790F4O0QUoZLtH6j
-=Y8Uo
+iQJPBAEBCgA5FiEEXhypCOH+Pe54HVUTBwmP38yc5+YFAmpLaJsbFIAAAAAABAAO
+bWFudTIsMi41KzEuMTIsMCwzAAoJEAcJj9/MnOfmdu8P+QHxI9DqzUpM5Z/5ex6r
+wBWHskSD7yOpuRMw0LV7FCTuoZDCBKSapkQnWQqcDB6CK3QE3B2NJe6sZNF4tadl
+Updeanfh2I+z64WTWRdWUoFkN4PazipRRYvwNXxPoTRPvQUkWS3CluLPaWmGXxEo
+PYWahrp4oM1x732TdHKV0U3HAVVflmC/oBzVPF71aaGDHM5zAp3479cPfXKAlqKb
+hAH5zZ07NuaYS0EyrxFL0WU7M6lA6ofbRNVxc49YRy8FMdmTeRk4UuCjWAzTPzQc
+E5C2ZLl3zeIcmxqS0jcKjIGOWUY7cequhUNJSapSmaZriephOcGtmIMKPjIvnfoN
+t/SxB5aRgscVmNl2acVpAt5X9kEuMmQYlTqHnR/4Xtz1c//wx7xH6X5WuoW8977z
+4udvwcFAsbinHSlLuU2JqOEahuC2InOaG1L0+5NuloreuUHJaxhd2Z3XAEGW0mlR
+NPPkzDPM1Fra7h3itUUkth/76P1N6YtpFGTSCJ1BiMCdTAHqcTAdOF9+LC4AjDIL
+6qrAkwXcGXhre2zpJ/wc/AOZFRezDIfD1OrpL09BHBFcPPRYP8EwJYh259z+lqNj
++FpO0/noA1FD5AlQ34x42Lk2jml+rUBpWlZlICrMBwAfHyqcMVLKlexkvzLmjbbI
+JAWreps8fsu4iJ0CU9WBdvpP
+=8UOY
-----END PGP SIGNATURE-----