FKIE_CVE-2026-55993
Vulnerability from fkie_nvd - Published: 2026-07-06 09:16 - Updated: 2026-07-06 18:15
Severity
Summary
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Atmosphere Websocket Component.
The camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-atmosphere-websocket",
"product": "Apache Camel Atmosphere Websocket",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.14.8",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.18.3",
"status": "affected",
"version": "4.15.0",
"versionType": "semver"
},
{
"lessThan": "4.21.0",
"status": "affected",
"version": "4.19.0",
"versionType": "semver"
}
]
}
],
"source": "security@apache.org"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel in Atmosphere Websocket Component.\n\nThe camel-atmosphere-websocket consumer mapped inbound WebSocket query parameters into the Camel Exchange header map without applying any HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() iterates the query-string map collected in WebsocketConsumer.service() and copies each entry into the Exchange). Because nothing blocked the Camel header namespace, a client connecting to the WebSocket endpoint could set Camel-internal control headers - including CamelHttpUri (Exchange.HTTP_URI) - simply by supplying them as query parameters. In a route where the WebSocket consumer feeds a downstream HTTP producer, the injected CamelHttpUri redirects the server-side HTTP request to an attacker-chosen destination (server-side request forgery - for example to an internal service or a cloud metadata endpoint). In addition, the HTTP producer resolves Camel property placeholders on the resulting (attacker-controlled) URI, so placeholders embedded in the injected value - such as an environment-variable reference, an application property, or a vault reference - are resolved to their real values and sent to the attacker, disclosing environment variables, application properties and vault secrets. When the WebSocket endpoint is exposed without authentication, this is reachable by an unauthenticated remote attacker.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes the consumer apply the HeaderFilterStrategy it already inherits from the HTTP/servlet stack, filtering the Camel header namespace case-insensitively on inbound mapping, so externally-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from the inbound message before they reach any downstream producer (for example removeHeaders(\u0027Camel*\u0027) and removeHeaders(\u0027camel*\u0027) at the start of the route), require authentication on the WebSocket endpoint, and avoid bridging an untrusted consumer directly into an HTTP producer whose target URI can be driven from message headers."
},
{
"lang": "es",
"value": "Validaci\u00f3n incorrecta de entradas, exposici\u00f3n de informaci\u00f3n confidencial a un agente no autorizado y vulnerabilidad de falsificaci\u00f3n de solicitudes del lado del servidor (SSRF) en Apache Camel, en el componente Atmosphere WebSocket. El consumidor camel-atmosphere-websocket asignaba los par\u00e1metros de consulta de WebSocket entrantes al mapa de encabezados de Camel Exchange sin aplicar ninguna HeaderFilterStrategy (WebsocketConsumer.sendEventNotification() recorre el mapa de cadenas de consulta recopilado en WebsocketConsumer.service() y copia cada entrada en el Exchange). Dado que nada bloqueaba el espacio de nombres de encabezados de Camel, un cliente que se conectara al punto final de WebSocket pod\u00eda establecer encabezados de control internos de Camel \u2014incluido CamelHttpUri (Exchange.HTTP_URI)\u2014 simplemente proporcion\u00e1ndolos como par\u00e1metros de consulta. En una ruta en la que el consumidor WebSocket alimenta a un productor HTTP posterior, el CamelHttpUri inyectado redirige la solicitud HTTP del lado del servidor a un destino elegido por el atacante (falsificaci\u00f3n de solicitudes del lado del servidor; por ejemplo, a un servicio interno o a un punto final de metadatos en la nube). Adem\u00e1s, el productor HTTP resuelve los marcadores de posici\u00f3n de propiedades de Camel en la URI resultante (controlada por el atacante), por lo que los marcadores de posici\u00f3n incrustados en el valor inyectado \u2014como una referencia a una variable de entorno, una propiedad de la aplicaci\u00f3n o una referencia al almac\u00e9n de secretos\u2014 se resuelven a sus valores reales y se env\u00edan al atacante, revelando variables de entorno, propiedades de la aplicaci\u00f3n y secretos del almac\u00e9n. Cuando el punto final de WebSocket est\u00e1 expuesto sin autenticaci\u00f3n, un atacante remoto no autenticado puede acceder a \u00e9l. Este problema afecta a Apache Camel: desde la versi\u00f3n 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 4.21.0, que corrige el problema. Si los usuarios utilizan las versiones LTS de la rama 4.14.x, se les sugiere que actualicen a la 4.14.8. Si los usuarios utilizan las versiones de la rama 4.18.x, se les sugiere que actualicen a la 4.18.3. La correcci\u00f3n hace que el consumidor aplique la estrategia HeaderFilterStrategy que ya hereda de la pila HTTP/servlet, filtrando el espacio de nombres de los encabezados de Camel sin distinguir entre may\u00fasculas y min\u00fasculas en la asignaci\u00f3n de entrada, de modo que los encabezados Camel* / camel* proporcionados externamente ya no se copian en el Exchange. En el caso de las implementaciones que no puedan actualizarse de inmediato, elimine los encabezados de control de Camel del mensaje entrante antes de que lleguen a cualquier productor posterior (por ejemplo, utilice removeHeaders(\u201cCamel*\u201d) y removeHeaders(\u201ccamel*\u201d) al inicio de la ruta), exija la autenticaci\u00f3n en el punto final de WebSocket y evite conectar un consumidor no fiable directamente a un productor HTTP cuyo URI de destino pueda determinarse a partir de los encabezados del mensaje."
}
],
"id": "CVE-2026-55993",
"lastModified": "2026-07-06T18:15:33.843",
"metrics": {},
"published": "2026-07-06T09:16:38.897",
"references": [
{
"source": "security@apache.org",
"url": "https://camel.apache.org/security/CVE-2026-55993.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/27"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
},
{
"lang": "en",
"value": "CWE-200"
},
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…