PatchSiren cyber security CVE debrief
CVE-2026-48205 Apache CVE debrief
The Apache Camel DNS component has a vulnerability that allows for Server-Side Request Forgery (SSRF) attacks due to improper input validation. This issue affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The vulnerability allows an attacker to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server, allowing for SSRF and internal network reconnaissance. Users of Apache Camel, especially those using the DNS component, should be aware of this vulnerability and take steps to mitigate it.
- Vendor
- Apache
- Product
- Camel
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache Camel, especially those using the DNS component, should be aware of this vulnerability and take steps to mitigate it. This includes upgrading to version 4.21.0 or later, using CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of dns.* / term names, stripping dns.* and term headers from untrusted ingress before the dns: producer, and setting DNS server and lookup parameters from a trusted source in the route.
Technical summary
The camel-dns producers read DNS operation parameters from Exchange message headers. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy lets them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer into a dns: producer, any HTTP client could set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server, allowing for SSRF and internal network reconnaissance.
Defensive priority
High
Recommended defensive actions
- Upgrade to version 4.21.0 or later
- Use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of dns.* / term names
- Strip dns.* and term headers from untrusted ingress before the dns: producer
- Set DNS server and lookup parameters from a trusted source in the route
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-06T09:16:37.880Z and was last modified on 2026-07-08T03:14:28.607Z. The NVD entry is currently Analyzed. This information is based on the CVE record and NVD entry. Users should verify the accuracy of this information with the official sources. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0.
Official resources
-
CVE-2026-48205 CVE record
CVE.org
-
CVE-2026-48205 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:37.880Z and has not been modified since then. The NVD entry is currently Analyzed.