PT-2026-55907 · Apache · Apache Camel

Andrea Cosentino

+1

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-49365

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9
Description The camel-netty-http server consumer in Apache Camel contains an issue where the muteException option defaults to false. When this option is false, any request that triggers an exception during route processing causes the consumer to write the full Java stack trace of the Throwable into the HTTP response body as text/plain via DefaultNettyHttpBinding. An unauthenticated client can trigger this by sending malformed request bodies or invalid parameters. The resulting stack trace may disclose sensitive internal information, such as embedded credentials, internal hostnames, IP addresses, filesystem paths, dependency versions, and database or class names.
Recommendations Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8. Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3. Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0. As a temporary mitigation, explicitly set muteException=true on the camel-netty-http consumer or globally via the camel.component.netty-http.configuration.mute-exception=true property.

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49365

Affected Products

Apache Camel