PatchSiren cyber security CVE debrief
CVE-2026-46726 Apache CVE debrief
The CVE record describes a vulnerability in Apache Camel's Vertx Websocket component, allowing an attacker to perform a Server-Side Request Forgery (SSRF) attack and gain access to sensitive information. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users of Apache Camel, particularly those using the Vertx Websocket component, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Apache Camel, applying a HeaderFilterStrategy, or implementing compensating controls such as authentication on the WebSocket endpoint.
- Vendor
- Apache
- Product
- Camel
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache Camel, particularly those using the Vertx Websocket component, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to a patched version of Apache Camel, applying a HeaderFilterStrategy, or implementing compensating controls such as authentication on the WebSocket endpoint. Operators, platform administrators, vulnerability management teams, and security teams should review the official advisory and assess affected deployments.
Technical summary
The camel-vertx-websocket consumer mapped inbound WebSocket query and path parameters into the Camel Exchange header map without applying any HeaderFilterStrategy. This allows a client to set Camel-internal control headers, including CamelHttpUri, which can be used to redirect the server-side HTTP request to an attacker-chosen destination. Additionally, the HTTP producer resolves Camel property placeholders on the resulting URI, disclosing environment variables, application properties, and vault secrets. Users are recommended to upgrade to version 4.21.0, which fixes the issue.
Defensive priority
High
Recommended defensive actions
- Upgrade to Apache Camel version 4.21.0 or later
- Apply a HeaderFilterStrategy to filter Camel header namespace
- Implement authentication on the WebSocket endpoint
- Remove Camel control headers from inbound messages
- Avoid bridging untrusted consumers directly into HTTP producers
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD detail provide information on the vulnerability and its impact. The vendor advisory and mailing list discussion offer guidance on mitigation and patches. To verify, defenders should review the official advisory, assess affected deployments, and apply compensating controls as needed. The issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. Users should confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Official resources
-
CVE-2026-46726 CVE record
CVE.org
-
CVE-2026-46726 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.503Z and has not been modified since then.