PatchSiren cyber security CVE debrief
CVE-2026-46591 Apache CVE debrief
The CVE record describes a vulnerability in Apache Camel's Neo4J component, where an attacker can inject arbitrary Cypher queries by manipulating the CamelNeo4jMatchProperties map. This issue affects Apache Camel versions from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The vulnerability has a high CVSS score of 8.2 and is considered a high-severity issue. Users of Apache Camel, especially those using the Neo4J component, should be aware of this vulnerability and take steps to mitigate it by upgrading to a fixed version or implementing compensating controls.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 8.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache Camel, especially those using the Neo4J component, should be aware of this vulnerability and take steps to mitigate it by upgrading to a fixed version or implementing compensating controls. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact of this vulnerability on their environment and take appropriate action.
Technical summary
The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database.
Defensive priority
High
Recommended defensive actions
- Upgrade to Apache Camel version 4.21.0 or later
- If using 4.14.x LTS releases, upgrade to 4.14.8
- If using 4.18.x releases, upgrade to 4.18.3
- Validate or allow-list property names before the Neo4j producer
- Ensure consumers filter inbound Camel* / camel* headers
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and vendor advisory provide details on the vulnerability and affected versions. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the affected versions and product deployments in their environment, and review the official advisory for specific guidance on mitigation and remediation.
Official resources
-
CVE-2026-46591 CVE record
CVE.org
-
CVE-2026-46591 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.263Z and has not been modified since then.