FKIE_CVE-2026-56139

Vulnerability from fkie_nvd - Published: 2026-07-06 09:16 - Updated: 2026-07-06 21:16
Summary
Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component. The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.
Impacted products
Vendor Product Version

{
  "affected": [
    {
      "affectedData": [
        {
          "collectionURL": "https://repo.maven.apache.org/maven2",
          "defaultStatus": "unaffected",
          "packageName": "org.apache.camel:camel-undertow",
          "product": "Apache Camel Undertow",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "4.14.8",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.18.3",
              "status": "affected",
              "version": "4.15.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.21.0",
              "status": "affected",
              "version": "4.19.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "security@apache.org"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Generation of Error Message Containing Sensitive Information vulnerability in Apache Camel Undertow Component.\n\nThe camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application\u0027s internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured.\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow: http://0.0.0.0:8080/api?muteException=true , or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad relacionada con la generaci\u00f3n de mensajes de error que contienen informaci\u00f3n confidencial en el componente Apache Camel Undertow. El consumidor del servidor HTTP camel-undertow expone una opci\u00f3n denominada muteException que controla lo que se devuelve al cliente cuando se produce un error en el procesamiento de una ruta. El valor predeterminado de esta opci\u00f3n es false, mientras que en los dem\u00e1s componentes del servidor HTTP de Camel (camel-http, camel-jetty, camel-servlet y camel-platform-http) el valor predeterminado es true. Con muteException=false, cuando una solicitud provoca una excepci\u00f3n durante el procesamiento de la ruta, el consumidor escribe el seguimiento completo de la pila de Throwable en el cuerpo de la respuesta HTTP como text/plain, en lugar de devolver un cuerpo vac\u00edo. Por lo tanto, cualquier cliente no autenticado que pueda acceder al punto final y provocar un error de procesamiento \u2014por ejemplo, enviando un cuerpo de solicitud mal formado, un par\u00e1metro no v\u00e1lido o provocando de cualquier otra forma un fallo interno de la ruta\u2014 recibe un seguimiento completo de la pila de Java. Dicha traza de pila puede revelar informaci\u00f3n interna confidencial, incluidas credenciales incrustadas en los mensajes de excepci\u00f3n, nombres de host internos y direcciones IP, rutas del sistema de archivos, detalles de dependencias y versiones, nombres de bases de datos y clases, y la estructura interna de la aplicaci\u00f3n, que un atacante puede utilizar para planear nuevos ataques. Adem\u00e1s, para los usuarios de Rest DSL, la opci\u00f3n `muteException` no se respetaba en absoluto: el `RestUndertowHttpBinding` se creaba con un valor false codificado de forma fija, por lo que se devolv\u00eda el seguimiento de la pila incluso cuando se hab\u00eda configurado `muteException=true`. Este problema afecta a Apache Camel: desde la versi\u00f3n 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se recomienda a los usuarios que actualicen a la versi\u00f3n 4.21.0, que corrige el problema. Si los usuarios utilizan la rama de versiones LTS 4.14.x, se les recomienda actualizar a la versi\u00f3n 4.14.8. Si utilizan la rama de versiones 4.18.x, se les recomienda actualizar a la versi\u00f3n 4.18.3. En el caso de implementaciones que no puedan actualizarse de inmediato, se debe establecer expl\u00edcitamente muteException=true en el consumidor camel-undertow (por ejemplo, undertow: http://0.0.0.0:8080/api?muteException=true, o de forma global mediante la propiedad camel.component.undertow.mute-exception=true), de modo que los errores de procesamiento ya no devuelvan el seguimiento de la pila al cliente; ten en cuenta que, en las versiones afectadas, esta soluci\u00f3n provisional no se aplica a los consumidores de Rest DSL, cuyo enlace ignora la opci\u00f3n hasta que se aplique la correcci\u00f3n."
    }
  ],
  "id": "CVE-2026-56139",
  "lastModified": "2026-07-06T21:16:57.710",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ],
    "ssvcV203": [
      {
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "ssvcData": {
          "id": "CVE-2026-56139",
          "options": [
            {
              "exploitation": "none"
            },
            {
              "automatable": "yes"
            },
            {
              "technicalImpact": "partial"
            }
          ],
          "role": "CISA Coordinator",
          "timestamp": "2026-07-06T20:55:36.900366Z",
          "version": "2.0.3"
        }
      }
    ]
  },
  "published": "2026-07-06T09:16:39.157",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://camel.apache.org/security/CVE-2026-56139.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2026/07/05/29"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-209"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…