PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46591 Apache CVE debrief

The CVE record describes a vulnerability in Apache Camel's Neo4J component, where an attacker can inject arbitrary Cypher queries by manipulating the CamelNeo4jMatchProperties map. This issue affects Apache Camel versions from 4.10.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The vulnerability has a high CVSS score of 8.2 and is considered a high-severity issue. Users of Apache Camel, especially those using the Neo4J component, should be aware of this vulnerability and take steps to mitigate it by upgrading to a fixed version or implementing compensating controls.

Vendor
Apache
Product
Camel
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache Camel, especially those using the Neo4J component, should be aware of this vulnerability and take steps to mitigate it by upgrading to a fixed version or implementing compensating controls. This includes operators, platform administrators, vulnerability management teams, and security teams who need to assess the impact of this vulnerability on their environment and take appropriate action.

Technical summary

The camel-neo4j producer builds the Cypher WHERE clause for its match/retrieve and delete operations from the CamelNeo4jMatchProperties map. CVE-2025-66169 addressed Cypher injection through the property values by binding them as query parameters ($paramN), but the property names (the JSON keys of that map) were still concatenated into the query string verbatim in Neo4jProducer.retrieveNodes() and deleteNode(). A property name containing Cypher syntax therefore alters the structure of the executed query. Where a route maps untrusted input into the CamelNeo4jMatchProperties map - for example by passing a request body as the match map, or from a consumer that does not filter inbound Camel* headers - an attacker who controls the JSON key names can inject arbitrary Cypher and read, modify or delete any node or relationship in the Neo4j database.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Apache Camel version 4.21.0 or later
  • If using 4.14.x LTS releases, upgrade to 4.14.8
  • If using 4.18.x releases, upgrade to 4.18.3
  • Validate or allow-list property names before the Neo4j producer
  • Ensure consumers filter inbound Camel* / camel* headers
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and vendor advisory provide details on the vulnerability and affected versions. Evidence is limited to public sources and may not reflect the full scope or impact of the vulnerability. Defenders should verify the affected versions and product deployments in their environment, and review the official advisory for specific guidance on mitigation and remediation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.263Z and has not been modified since then.