PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46585 Apache CVE debrief

The CVE record describes a vulnerability in Apache Camel's Lucene component, allowing for improper input validation and authorization bypass. An attacker could exploit this by setting the QUERY header in an HTTP request, leading to potential unauthorized access to documents in the full-text index. This vulnerability affects Apache Camel versions 4.0.0 to 4.14.8, 4.15.0 to 4.18.3, and 4.19.0 to 4.21.0. Users of these versions should be aware of this vulnerability and take steps to mitigate it.

Vendor
Apache
Product
Camel
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache Camel, particularly those using versions 4.0.0 to 4.14.8, 4.15.0 to 4.18.3, and 4.19.0 to 4.21.0, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene query operation behind an HTTP consumer, any HTTP client could therefore set the QUERY header and have its value executed against the full-text index, overriding the query the route intended to run.

Defensive priority

High

Recommended defensive actions

  • Upgrade to version 4.21.0 or later
  • If using 4.14.x LTS releases, upgrade to 4.14.8
  • If using 4.18.x releases, upgrade to 4.18.3
  • Strip attacker-controllable headers before the Lucene producer
  • Set the query from a trusted source
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, affected versions, and potential impact. Vendor advisories and mailing list discussions are also available. To verify, defenders should check the official CVE record and NVD detail for accurate information on affected versions and potential impact. Additionally, reviewing vendor advisories and mailing list discussions can provide further context on the vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.030Z and has not been modified since then.