PT-2026-55907 · Apache · Apache Camel
Andrea Cosentino
+1
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-49365
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Apache Camel versions 4.0.0 through 4.14.7
Apache Camel versions 4.15.0 through 4.18.2
Apache Camel versions 4.19.0 through 4.20.9
Description
The camel-netty-http server consumer in Apache Camel contains an issue where the
muteException option defaults to false. When this option is false, any request that triggers an exception during route processing causes the consumer to write the full Java stack trace of the Throwable into the HTTP response body as text/plain via DefaultNettyHttpBinding. An unauthenticated client can trigger this by sending malformed request bodies or invalid parameters. The resulting stack trace may disclose sensitive internal information, such as embedded credentials, internal hostnames, IP addresses, filesystem paths, dependency versions, and database or class names.Recommendations
Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8.
Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3.
Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0.
As a temporary mitigation, explicitly set
muteException=true on the camel-netty-http consumer or globally via the camel.component.netty-http.configuration.mute-exception=true property.Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Camel