CVE-2026-45760 Apache Software Foundation CVE debrief

Who should care

Operators and platform teams running Apache Camel K on Kubernetes, especially clusters that let namespace users create Build resources or rely on namespace isolation for operator workloads.

Technical summary

The published advisory describes a namespace-boundary control issue in Apache Camel K. A user who is authorized in one Kubernetes namespace can create a Build resource that controls Pod generation in a namespace of their choosing, which may include the operator namespace. NVD lists the related weaknesses as CWE-610 and CWE-639. The affected versions are 2.0.0 before 2.8.1, 2.9.0 before 2.9.2, and 2.10.0 before 2.10.1.

Defensive priority

High

Recommended defensive actions

• Upgrade Apache Camel K to 2.10.1, or to 2.9.2 / 2.8.1 if you are on those release lines.
• Review which Kubernetes identities are allowed to create Build resources and restrict that permission to the minimum necessary set.
• Audit whether Camel K Build resources can target namespaces beyond the requester’s own namespace, including the operator namespace.
• Verify namespace isolation, admission controls, and RBAC policies around Camel K-managed resources.
• Monitor for unexpected Build creation activity and Pod placement in operator or other sensitive namespaces.

Evidence notes

This debrief is based only on the supplied NVD entry and the linked Apache security advisory reference. The source corpus states the issue, affected version ranges, the fixed versions, the namespace-impacting behavior, and the listed weaknesses (CWE-610 and CWE-639). No CVSS score was provided in the supplied data, and no KEV entry was present.

Official resources