Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-49086— Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to influence internal behaviour

AI Predicted 7.5 Difficulty: Easy EPSS 0.43% · P34

Affected Version Matrix 3

VendorProductVersion RangeStatus
Apache Software FoundationApache Camel Dapr4.12.0< 4.14.8affected
4.15.0< 4.18.3affected
4.19.0< 4.21.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-49086

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache Camel Dapr: Pub/Sub consumer copied the inbound CloudEvent's pub/sub-name and topic into producer-direction routing headers, allowing an actor who can publish to the subscribed topic to influence internal behaviour
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Input Validation, Unintended Proxy or Intermediary ('Confused Deputy') vulnerability in Apache Camel DAPR component. The camel-dapr Dapr Pub/Sub consumer (DaprPubSubConsumer) copied two fields from each inbound CloudEvent - its Pub/Sub component name and its topic - into the CamelDaprPubSubName and CamelDaprTopic Exchange headers. These two headers are producer-direction routing headers: when the route republishes through a Dapr producer, DaprConfigurationOptionsProxy reads them back and prefers them over the destination configured on the endpoint. As a result, in a route that consumes from one Dapr Pub/Sub topic and republishes to another (for example from('dapr-pubsub:p:t').to('dapr-pubsub:p:other')), an actor able to publish a message to the subscribed topic could set the CloudEvent's pub/sub-name and topic to values of their choosing and cause the re-published message to be delivered to an arbitrary Dapr Pub/Sub component and topic instead of the configured destination - redirecting or exfiltrating the message and bypassing the route's intended routing and any topic-level access controls in the underlying broker. Exploitation requires the ability to publish to the topic the route subscribes to; no other authentication or user interaction is needed. This issue affects Apache Camel: from 4.12.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, remove the CamelDaprPubSubName and CamelDaprTopic headers from the Exchange between the Dapr consumer and any Dapr producer in the route (for example removeHeaders('CamelDaprPubSubName', 'CamelDaprTopic')), and restrict who can publish to the subscribed Dapr Pub/Sub topic so that only trusted producers can send to it.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Camel Dapr 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache Apache Camel Dapr是美国Apache基金会的一款集成Camel与Dapr的消息路由中间件。 Apache Camel Dapr 4.12.0版本至4.14.8之前版本、4.15.0版本至4.18.3之前版本和4.19.0版本至4.21.0之前版本存在安全漏洞,该漏洞源于输入验证不当和意外代理问题,导致攻击者通过向订阅的主题发布消息,能够设置CloudEvent的pub/sub-name和topic为选定值,从而使得重新发布的消息被传递到任意Dapr Pub/Sub组件和主题而
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Camel Dapr 4.12.0 ~ 4.14.8 -

II. Public POCs for CVE-2026-49086

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-49086

登录查看更多情报信息。

Vendor Advisories for CVE-2026-49086 (1)

Same Patch Batch · Apache Software Foundation · 2026-07-06 · 39 CVEs total

CVE-2026-46457Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange withou
CVE-2026-48205Apache Camel DNS: The dns.* and term Exchange header constants used non-Camel-prefixed nam
CVE-2026-48204Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed n
CVE-2026-48203Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-
CVE-2026-46726Apache Camel Vertx Websocket: The inbound consumer maps externally-supplied WebSocket quer
CVE-2026-46592Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed name
CVE-2026-46591Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header a
CVE-2026-46590Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle manager
CVE-2026-46585Apache Camel Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETUR
CVE-2026-46584Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail
CVE-2026-48206Apache Camel JIRA: A set of non-Camel-prefixed Exchange header constants bypass the HTTP h
CVE-2026-46456Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange with
CVE-2026-46455Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the
CVE-2026-46454Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange wi
CVE-2026-46453Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel
CVE-2026-43865Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed H
CVE-2026-42527Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables
CVE-2026-40859Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a
CVE-2026-40047Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argum
CVE-2026-56140Apache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStra

Showing top 20 of 39 CVEs. View all on vendor page &rarr; →

IV. Related Vulnerabilities

V. Comments for CVE-2026-49086

No comments yet


Leave a comment