PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55993 Apache Software Foundation CVE debrief

The CVE-2026-55993 vulnerability is an Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, and Server-Side Request Forgery (SSRF) issue in Apache Camel's Atmosphere Websocket Component. The vulnerability allows a client connecting to the WebSocket endpoint to set Camel-internal control headers, including CamelHttpUri, by supplying them as query parameters. This can lead to a server-side request forgery attack, allowing an attacker to redirect the server-side HTTP request to an attacker-chosen destination. Additionally, the HTTP producer resolves Camel property placeholders on the resulting URI, disclosing environment variables, application properties, and vault secrets.

Vendor
Apache Software Foundation
Product
Apache Camel Atmosphere Websocket
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-07
Advisory published
2026-07-06
Advisory updated
2026-07-07

Who should care

Users of Apache Camel, particularly those using versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows a client to set Camel-internal control headers, including CamelHttpUri, by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination. The HTTP producer resolves Camel property placeholders on the resulting URI, disclosing environment variables, application properties, and vault secrets.

Defensive priority

High

Recommended defensive actions

  • Upgrade to version 4.21.0 or later
  • Apply the HeaderFilterStrategy to filter Camel header namespace
  • Strip Camel control headers from inbound messages
  • Require authentication on the WebSocket endpoint
  • Avoid bridging an untrusted consumer directly into an HTTP producer

Evidence notes

The CVE record was published on 2026-07-06T09:16:38.897Z and was last modified on 2026-07-07T13:16:31.980Z. The NVD entry is currently Undergoing Analysis. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:38.897Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.