PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46726 Apache CVE debrief

The CVE record describes a vulnerability in Apache Camel's Vertx Websocket component, allowing an attacker to perform a Server-Side Request Forgery (SSRF) attack and gain access to sensitive information. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users of Apache Camel, particularly those using the Vertx Websocket component, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Apache Camel, applying a HeaderFilterStrategy, or implementing compensating controls such as authentication on the WebSocket endpoint.

Vendor
Apache
Product
Camel
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache Camel, particularly those using the Vertx Websocket component, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Apache Camel, applying a HeaderFilterStrategy, or implementing compensating controls such as authentication on the WebSocket endpoint. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and assess affected deployments.

Technical summary

The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows a client to set Camel-internal control headers, including CamelHttpUri, which can be used to redirect the server-side HTTP request to an attacker-chosen destination. Additionally, the HTTP producer resolves Camel property placeholders on the resulting URI, disclosing environment variables, application properties, and vault secrets. Users are recommended to upgrade to version 4.21.0, which fixes the issue.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Apache Camel version 4.21.0 or later
  • Apply a HeaderFilterStrategy to filter Camel header namespace
  • Implement authentication on the WebSocket endpoint
  • Remove Camel control headers from inbound messages
  • Avoid bridging untrusted consumers directly into HTTP producers
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record and NVD detail provide information on the vulnerability and its impact. The vendor advisory and mailing list discussion offer guidance on mitigation and patches. To verify, defenders should review the official advisory, assess affected deployments, and apply compensating controls as needed. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users should confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.503Z and has not been modified since then.