CWE-639
AllowedAuthorization Bypass Through User-Controlled Key
Abstraction: Base · Status: Incomplete
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
3245 vulnerabilities reference this CWE, most recent first.
GHSA-RJ4P-QC9G-J2P3
Vulnerability from github – Published: 2025-12-05 00:31 – Updated: 2025-12-05 00:31The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request.
{
"affected": [],
"aliases": [
"CVE-2025-13932"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-04T22:15:47Z",
"severity": "HIGH"
},
"details": "The SolisCloud API suffers from a Broken Access Control vulnerability, specifically an Insecure Direct Object Reference (IDOR), where any authenticated user can access detailed data of any plant by altering the plant_id in the request.",
"id": "GHSA-rj4p-qc9g-j2p3",
"modified": "2025-12-05T00:31:05Z",
"published": "2025-12-05T00:31:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13932"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-338-06"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RJV6-GJ2V-MH9H
Vulnerability from github – Published: 2025-05-26 12:30 – Updated: 2025-05-26 12:30A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.
{
"affected": [],
"aliases": [
"CVE-2025-5182"
],
"database_specific": {
"cwe_ids": [
"CWE-285",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-26T11:15:24Z",
"severity": "MODERATE"
},
"details": "A vulnerability has been found in Summer Pearl Group Vacation Rental Management Platform up to 1.0.1 and classified as critical. This vulnerability affects unknown code of the component Listing Handler. The manipulation leads to authorization bypass. The attack can be initiated remotely. Upgrading to version 1.0.2 is able to address this issue. It is recommended to upgrade the affected component.",
"id": "GHSA-rjv6-gj2v-mh9h",
"modified": "2025-05-26T12:30:30Z",
"published": "2025-05-26T12:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5182"
},
{
"type": "WEB",
"url": "https://github.com/Stolichnayer/Summer-Pearl-Group-IDOR-XSS"
},
{
"type": "WEB",
"url": "https://summerpearlgroup.gr/spgpm/releases"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.310270"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.310270"
},
{
"type": "WEB",
"url": "https://www.youtube.com/watch?v=0wwuatTa6sU"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RM4X-93M8-4QCV
Vulnerability from github – Published: 2024-04-09 15:30 – Updated: 2025-02-07 21:30A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.
Full versions and TV models affected:
webOS 4.9.7 - 5.30.40 running on LG43UM7000PLA webOS 5.5.0 - 04.50.51 running on OLED55CXPUA webOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB webOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA
{
"affected": [],
"aliases": [
"CVE-2023-6317"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-04-09T14:15:07Z",
"severity": "HIGH"
},
"details": "A prompt bypass exists in the secondscreen.gateway service running on webOS version 4 through 7. An attacker can create a privileged account without asking the user for the security PIN.\u00a0\n\nFull versions and TV models affected:\n\nwebOS 4.9.7 - 5.30.40 running on LG43UM7000PLA \nwebOS 5.5.0 - 04.50.51 running on OLED55CXPUA \nwebOS 6.3.3-442 (kisscurl-kinglake) - 03.36.50 running on OLED48C1PUB \u00a0\nwebOS 7.3.1-43 (mullet-mebin) - 03.33.85 running on OLED55A23LA",
"id": "GHSA-rm4x-93m8-4qcv",
"modified": "2025-02-07T21:30:51Z",
"published": "2024-04-09T15:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6317"
},
{
"type": "WEB",
"url": "https://bitdefender.com/blog/labs/vulnerabilities-identified-in-lg-webos"
},
{
"type": "WEB",
"url": "https://lgsecurity.lge.com/bulletins/tv#updateDetails"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RM5F-3C25-P4CW
Vulnerability from github – Published: 2026-04-14 18:30 – Updated: 2026-04-16 01:31A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "krayin/laravel-crm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-38530"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-16T01:31:36Z",
"nvd_published_at": "2026-04-14T16:16:43Z",
"severity": "HIGH"
},
"details": "A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.",
"id": "GHSA-rm5f-3c25-p4cw",
"modified": "2026-04-16T01:31:36Z",
"published": "2026-04-14T18:30:35Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38530"
},
{
"type": "WEB",
"url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530"
},
{
"type": "PACKAGE",
"url": "https://github.com/krayin/laravel-crm"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php"
}
GHSA-RMC6-47CP-M9GJ
Vulnerability from github – Published: 2023-06-14 09:30 – Updated: 2024-04-04 04:49Unauth. IDOR vulnerability leading to PII Disclosure in WooCommerce Stripe Payment Gateway plugin <= 7.4.0 versions.
{
"affected": [],
"aliases": [
"CVE-2023-34000"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-14T08:15:09Z",
"severity": "HIGH"
},
"details": "Unauth. IDOR vulnerability leading to PII Disclosure in\u00a0WooCommerce Stripe Payment Gateway plugin \u003c= 7.4.0 versions.",
"id": "GHSA-rmc6-47cp-m9gj",
"modified": "2024-04-04T04:49:39Z",
"published": "2023-06-14T09:30:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-34000"
},
{
"type": "WEB",
"url": "https://patchstack.com/articles/unauthenticated-idor-to-pii-disclosure-vulnerability-in-woocommerce-stripe-gateway-plugin?_s_id=cve"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/woocommerce-gateway-stripe/wordpress-woocommerce-stripe-payment-gateway-plugin-7-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RMCJ-82CR-27RX
Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-30 03:37A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.
Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
{
"affected": [],
"aliases": [
"CVE-2026-9099"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T17:17:03Z",
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"id": "GHSA-rmcj-82cr-27rx",
"modified": "2026-06-30T03:37:14Z",
"published": "2026-06-25T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"type": "WEB",
"url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-9099.json"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RP59-MWR6-M562
Vulnerability from github – Published: 2023-01-19 00:30 – Updated: 2025-04-04 18:30An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code.
{
"affected": [],
"aliases": [
"CVE-2022-45927"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-18T22:15:00Z",
"severity": "HIGH"
},
"details": "An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code.",
"id": "GHSA-rp59-mwr6-m562",
"modified": "2025-04-04T18:30:32Z",
"published": "2023-01-19T00:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-45927"
},
{
"type": "WEB",
"url": "https://sec-consult.com/vulnerability-lab/advisory/pre-authenticated-remote-code-execution-via-java-frontend-qds-endpoint-opentext-extended-ecm"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/170614/OpenText-Extended-ECM-22.3-Java-Frontend-Remote-Code-Execution.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2023/Jan/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-RP6X-GGW6-8G56
Vulnerability from github – Published: 2023-10-16 09:30 – Updated: 2023-11-14 21:13Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,
some sensitive params checks will be bypassed, like "autoDeserizalize","allowLoadLocalInfile"....
.
Users are advised to upgrade to Apache InLong's 1.9.0 or cherry-pick [1] to solve it.
[1] https://github.com/apache/inlong/pull/8604
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.inlong:manager-pojo"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.9.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-43668"
],
"database_specific": {
"cwe_ids": [
"CWE-502",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-17T14:23:26Z",
"nvd_published_at": "2023-10-16T09:15:10Z",
"severity": "CRITICAL"
},
"details": "Authorization Bypass Through User-Controlled Key vulnerability in Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.8.0,\u00a0\n\nsome sensitive params checks will be bypassed, like \"autoDeserizalize\",\"allowLoadLocalInfile\"....\n\n.\u00a0\u00a0\n\nUsers are advised to upgrade to Apache InLong\u0027s 1.9.0 or cherry-pick [1] to solve it.\n\n[1]\u00a0 https://github.com/apache/inlong/pull/8604 \n\n",
"id": "GHSA-rp6x-ggw6-8g56",
"modified": "2023-11-14T21:13:48Z",
"published": "2023-10-16T09:30:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-43668"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/pull/8604"
},
{
"type": "WEB",
"url": "https://github.com/apache/inlong/commit/46c4e96a84839bd540f47c659c9d8576e393da02"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/inlong"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/16gtk7rpdm1rof075ro83fkrnhbzn5sh"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Authorization Bypass in Apache InLong"
}
GHSA-RP98-9VMX-835H
Vulnerability from github – Published: 2024-01-17 03:30 – Updated: 2025-06-10 18:32An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter.
{
"affected": [],
"aliases": [
"CVE-2023-36235"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-17T03:15:07Z",
"severity": "MODERATE"
},
"details": "An issue in webkul qloapps before v1.6.0 allows an attacker to obtain sensitive information via the id_order parameter.",
"id": "GHSA-rp98-9vmx-835h",
"modified": "2025-06-10T18:32:10Z",
"published": "2024-01-17T03:30:55Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-36235"
},
{
"type": "WEB",
"url": "https://github.com/webkul/hotelcommerce/pull/537"
},
{
"type": "WEB",
"url": "https://github.com/Ek-Saini/security/blob/main/IDOR-Qloapps"
},
{
"type": "WEB",
"url": "https://qloapps.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-RP9M-HFV5-PFVR
Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client.
The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names ('SEARCH_QUERY', 'OPERATION', 'INDEX_NAME', 'INDEX_SETTINGS', 'ID') rather than the 'Camel'-prefixed names used by every other Camel component (for example CamelSqlQuery, CamelMongoDbCriteria, CamelCqlQuery). Camel's inbound HTTP header filter, HttpHeaderFilterStrategy, blocks only header names that begin with 'Camel' or 'camel'. Because the Elasticsearch header names do not carry that prefix, they pass through the inbound filter unchanged. When a Camel route exposes an HTTP entry point (for example platform-http) in front of an elasticsearch-rest-client producer, an untrusted HTTP client can set these headers directly on its request and override the query and operation that the route author configured: reading every document in the index (SEARCH_QUERY with a match_all query), deleting documents (OPERATION set to Delete together with ID), or exfiltrating selected fields. No credentials are required and the producer reads the headers unconditionally. This issue affects Apache Camel: from 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSearchQuery, CamelElasticsearchIndexSettings, CamelElasticsearchIndexName, CamelElasticsearchOperation) so that they are blocked by the inbound HttpHeaderFilterStrategy; the Java field names are unchanged. For deployments that cannot upgrade immediately, strip the affected headers from untrusted inbound messages before they reach the producer (for example removeHeader('SEARCH_QUERY'), removeHeader('OPERATION'), removeHeader('INDEX_NAME'), removeHeader('INDEX_SETTINGS') and removeHeader('ID') in front of the elasticsearch-rest-client endpoint), or apply a custom HeaderFilterStrategy that blocks these names.
{
"affected": [],
"aliases": [
"CVE-2026-46453"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T09:16:36Z",
"severity": "MODERATE"
},
"details": "Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client.\n\nThe camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCH_QUERY (an advanced query body), OPERATION (which Elasticsearch operation to run), INDEX_NAME, INDEX_SETTINGS and ID. The string values of these header constants, defined in ElasticSearchRestClientConstant, are plain unprefixed names (\u0027SEARCH_QUERY\u0027, \u0027OPERATION\u0027, \u0027INDEX_NAME\u0027, \u0027INDEX_SETTINGS\u0027, \u0027ID\u0027) rather than the \u0027Camel\u0027-prefixed names used by every other Camel component (for example CamelSqlQuery, CamelMongoDbCriteria, CamelCqlQuery). Camel\u0027s inbound HTTP header filter, HttpHeaderFilterStrategy, blocks only header names that begin with \u0027Camel\u0027 or \u0027camel\u0027. Because the Elasticsearch header names do not carry that prefix, they pass through the inbound filter unchanged. When a Camel route exposes an HTTP entry point (for example platform-http) in front of an elasticsearch-rest-client producer, an untrusted HTTP client can set these headers directly on its request and override the query and operation that the route author configured: reading every document in the index (SEARCH_QUERY with a match_all query), deleting documents (OPERATION set to Delete together with ID), or exfiltrating selected fields. No credentials are required and the producer reads the headers unconditionally.\nThis issue affects Apache Camel: from 4.3.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-elasticsearch-rest-client Exchange header constant string values (ID, SEARCH_QUERY, INDEX_SETTINGS, INDEX_NAME, OPERATION) to carry the Camel prefix (CamelElasticsearchId, CamelElasticsearchSearchQuery, CamelElasticsearchIndexSettings, CamelElasticsearchIndexName, CamelElasticsearchOperation) so that they are blocked by the inbound HttpHeaderFilterStrategy; the Java field names are unchanged. For deployments that cannot upgrade immediately, strip the affected headers from untrusted inbound messages before they reach the producer (for example removeHeader(\u0027SEARCH_QUERY\u0027), removeHeader(\u0027OPERATION\u0027), removeHeader(\u0027INDEX_NAME\u0027), removeHeader(\u0027INDEX_SETTINGS\u0027) and removeHeader(\u0027ID\u0027) in front of the elasticsearch-rest-client endpoint), or apply a custom HeaderFilterStrategy that blocks these names.",
"id": "GHSA-rp9m-hfv5-pfvr",
"modified": "2026-07-06T21:30:36Z",
"published": "2026-07-06T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46453"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security/CVE-2026-46453.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
Mitigation
Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.
Mitigation
Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.
No CAPEC attack patterns related to this CWE.