PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46592 Apache CVE debrief

A vulnerability was found in Apache Camel, specifically in the CXF SOAP component. This issue is related to improper input validation and the unintended use of a proxy or intermediary, often referred to as a 'confused deputy' problem. The vulnerability allows an attacker to manipulate the SOAP operation invoked on a backend service by setting the operationName header in an HTTP request. This can lead to unintended actions being performed on the backend SOAP service, potentially replacing a read operation with a destructive one. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0.

Vendor
Apache
Product
Camel
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache Camel, particularly those using the CXF SOAP component, should be aware of this vulnerability. The vulnerability can be exploited by an attacker to perform unintended actions on the backend SOAP service, potentially leading to security breaches. Users are recommended to upgrade to version 4.21.0 or apply the suggested mitigations to prevent exploitation.

Technical summary

The camel-cxf producer in Apache Camel selects which SOAP operation to invoke on the backend service from the operationName (and operationNamespace) Exchange header. These headers are not prefixed with 'Camel/' and thus are not blocked by HttpHeaderFilterStrategy, allowing them to pass from an inbound HTTP request into the Exchange. In a route that bridges an HTTP consumer into a cxf: producer, any HTTP client could set the operationName header and have CxfProducer resolve and invoke a different WSDL operation than intended. This could allow an attacker to replace a read operation with a destructive one against the backend SOAP service. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Apache Camel version 4.21.0 or later
  • If using version 4.14.x, upgrade to 4.14.8
  • If using version 4.18.x, upgrade to 4.18.3
  • Strip the operationName and operationNamespace headers from any untrusted ingress before the cxf: producer
  • Set the operation from a trusted source in the route

Evidence notes

The CVE record was published on 2026-07-06T09:16:37.380Z and was last modified on 2026-07-08T14:54:24.890Z. The NVD entry is currently Analyzed. References include a Vendor Advisory from [email protected] and a Mailing List, Third Party Advisory from af854a3a-2127-422b-91ae-364da2661108.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.380Z and has not been modified since then. The NVD entry is currently Analyzed.