PatchSiren cyber security CVE debrief
CVE-2026-46585 Apache CVE debrief
The CVE record describes a vulnerability in Apache Camel's Lucene component, allowing for improper input validation and authorization bypass. An attacker could exploit this by setting the QUERY header in an HTTP request, leading to potential unauthorized access to documents in the full-text index. This vulnerability affects Apache Camel versions 4.0.0 to 4.14.8, 4.15.0 to 4.18.3, and 4.19.0 to 4.21.0. Users of these versions should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache Camel, particularly those using versions 4.0.0 to 4.14.8, 4.15.0 to 4.18.3, and 4.19.0 to 4.21.0, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer, any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 4.21.0 or later
- If using 4.14.x LTS releases, upgrade to 4.14.8
- If using 4.18.x releases, upgrade to 4.18.3
- Strip attacker-controllable headers before the Lucene producer
- Set the query from a trusted source
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, affected versions, and potential impact. Vendor advisories and mailing list discussions are also available. To verify, defenders should check the official CVE record and NVD detail for accurate information on affected versions and potential impact. Additionally, reviewing vendor advisories and mailing list discussions can provide further context on the vulnerability.
Official resources
-
CVE-2026-46585 CVE record
CVE.org
-
CVE-2026-46585 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.030Z and has not been modified since then.