PatchSiren cyber security CVE debrief
CVE-2026-55993 Apache Software Foundation CVE debrief
The CVE-2026-55993 vulnerability is an Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, and Server-Side Request Forgery (SSRF) issue in Apache Camel's Atmosphere Websocket Component. The vulnerability allows a client connecting to the WebSocket endpoint to set Camel-internal control headers, including CamelHttpUri, by supplying them as query parameters. This can lead to a server-side request forgery attack, allowing an attacker to redirect the server-side HTTP request to an attacker-chosen destination. Additionally, the HTTP producer resolves Camel property placeholders on the resulting URI, disclosing environment variables, application properties, and vault secrets.
- Vendor
- Apache Software Foundation
- Product
- Apache Camel Atmosphere Websocket
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-07
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-07
Who should care
Users of Apache Camel, particularly those using versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows a client to set Camel-internal control headers, including CamelHttpUri, by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination. The HTTP producer resolves Camel property placeholders on the resulting URI, disclosing environment variables, application properties, and vault secrets.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 4.21.0 or later
- Apply the HeaderFilterStrategy to filter Camel header namespace
- Strip Camel control headers from inbound messages
- Require authentication on the WebSocket endpoint
- Avoid bridging an untrusted consumer directly into an HTTP producer
Evidence notes
The CVE record was published on 2026-07-06T09:16:38.897Z and was last modified on 2026-07-07T13:16:31.980Z. The NVD entry is currently Undergoing Analysis. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3.
Official resources
-
CVE-2026-55993 CVE record
CVE.org
-
CVE-2026-55993 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
-
Source reference
af854a3a-2127-422b-91ae-364da2661108
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:38.897Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.