PatchSiren cyber security CVE debrief
CVE-2026-46592 Apache CVE debrief
A vulnerability was found in Apache Camel, specifically in the CXF SOAP component. This issue is related to improper input validation and the unintended use of a proxy or intermediary, often referred to as a 'confused deputy' problem. The vulnerability allows an attacker to manipulate the SOAP operation invoked on a backend service by setting the operationName header in an HTTP request. This can lead to unintended actions being performed on the backend SOAP service, potentially replacing a read operation with a destructive one. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache Camel, particularly those using the CXF SOAP component, should be aware of this vulnerability. The vulnerability can be exploited by an attacker to perform unintended actions on the backend SOAP service, potentially leading to security breaches. Users are recommended to upgrade to version 4.21.0 or apply the suggested mitigations to prevent exploitation.
Technical summary
The camel-cxf producer in Apache Camel selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header. These headers are not prefixed with 'Camel/' and thus are not blocked by HttpHeaderFilterStrategy, allowing them to pass from an inbound HTTP request into the Exchange. In a route that bridges an HTTP consumer into a cxf: producer, any HTTP client could set the operationName header and have CxfProducer resolve and invoke a different WSDL operation than intended. This could allow an attacker to replace a read operation with a destructive one against the backend SOAP service. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0.
Defensive priority
High
Recommended defensive actions
- Upgrade to Apache Camel version 4.21.0 or later
- If using version 4.14.x, upgrade to 4.14.8
- If using version 4.18.x, upgrade to 4.18.3
- Strip the operationName and operationNamespace headers from any untrusted ingress before the cxf: producer
- Set the operation from a trusted source in the route
Evidence notes
The CVE record was published on 2026-07-06T09:16:37.380Z and was last modified on 2026-07-08T14:54:24.890Z. The NVD entry is currently Analyzed. References include a Vendor Advisory from [email protected] and a Mailing List, Third Party Advisory from af854a3a-2127-422b-91ae-364da2661108.
Official resources
-
CVE-2026-46592 CVE record
CVE.org
-
CVE-2026-46592 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.380Z and has not been modified since then. The NVD entry is currently Analyzed.