Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-irc) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-irc) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-irc) 4.19.0 before 4.21.0

Description:

Improper Input Validation, Improper Neutralization of Special Elements in 
Output Used by a Downstream Component ('Injection') vulnerability in Apache 
Camel IRC component.

The camel-irc producer chooses the destination of an outgoing IRC message from 
the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value 
irc.sendTo); when that header is present it overrides the channel list 
configured on the endpoint, and the message is sent only to the specified 
destination. This and the component's other control headers (irc.target, 
irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed 
values. Because these names do not start with the Camel / camel prefix, 
HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the 
HTTP boundary - let them pass from an inbound HTTP request straight into the 
Exchange. In a route that bridges an HTTP consumer (for example platform-http) 
into an irc: producer, any HTTP client could therefore set the irc.sendTo 
header and redirect a message that the route intended for a configured channel 
to an arbitrary IRC channel or user - exfiltrating the message content to an 
attacker-chosen nickname, leaking it into a public channel, or delivering 
messages that appear to come from the bot. No credentials are required when the 
bridging consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade 
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw 
header names must use the CamelIrc* names (for example CamelIrcSendTo) instead 
of the old irc.* values. For deployments that cannot upgrade immediately, strip 
the irc.* headers from any untrusted ingress before the irc: producer (for 
example removeHeaders('irc.*') at the start of the route), and set the IRC 
destination from a trusted source.

Credit:

Yu Bao from PayPal (finder)
Andrea Cosentino (remediation developer)

References:

https://camel.apache.org/security/CVE-2026-49097.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-49097

Reply via email to