PT-2026-55910 · Apache · Apache Camel
Andrea Cosentino
+1
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-55994
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Apache Camel versions 4.17.0 through 4.18.2
Apache Camel versions 4.19.0 through 4.20.x
Description
Improper input validation in the Iggy component allows an actor capable of publishing to the consumed Iggy stream or topic to inject Camel-internal control headers, such as
CamelHttpUri (Exchange.HTTP URI), into the Camel Exchange header map. This occurs because the IggyFetchRecords function copies user-headers directly without applying a HeaderFilterStrategy. If the Iggy consumer feeds a downstream HTTP producer, the injected CamelHttpUri can redirect server-side HTTP requests to an attacker-chosen destination, resulting in Server-Side Request Forgery (SSRF). Furthermore, the HTTP producer resolves Camel property placeholders within the attacker-controlled URI, which can lead to the exposure of sensitive information, including environment variables, application properties, and vault secrets, as these are resolved to their real values and sent to the attacker.Recommendations
Update Apache Camel versions 4.17.0 through 4.18.2 to version 4.18.3.
Update Apache Camel versions 4.19.0 through 4.20.x to version 4.21.0.
As a temporary mitigation, strip Camel control headers from inbound messages using
removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route.
Restrict permissions for who can publish to the consumed Iggy stream or topic.
Avoid bridging untrusted consumers directly into an HTTP producer where the target URI is driven by message headers.Information Disclosure
RCE
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Camel