PT-2026-55910 · Apache · Apache Camel

Andrea Cosentino

+1

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-55994

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.17.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.x
Description Improper input validation in the Iggy component allows an actor capable of publishing to the consumed Iggy stream or topic to inject Camel-internal control headers, such as CamelHttpUri (Exchange.HTTP URI), into the Camel Exchange header map. This occurs because the IggyFetchRecords function copies user-headers directly without applying a HeaderFilterStrategy. If the Iggy consumer feeds a downstream HTTP producer, the injected CamelHttpUri can redirect server-side HTTP requests to an attacker-chosen destination, resulting in Server-Side Request Forgery (SSRF). Furthermore, the HTTP producer resolves Camel property placeholders within the attacker-controlled URI, which can lead to the exposure of sensitive information, including environment variables, application properties, and vault secrets, as these are resolved to their real values and sent to the attacker.
Recommendations Update Apache Camel versions 4.17.0 through 4.18.2 to version 4.18.3. Update Apache Camel versions 4.19.0 through 4.20.x to version 4.21.0. As a temporary mitigation, strip Camel control headers from inbound messages using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route. Restrict permissions for who can publish to the consumed Iggy stream or topic. Avoid bridging untrusted consumers directly into an HTTP producer where the target URI is driven by message headers.

Information Disclosure

RCE

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55994

Affected Products

Apache Camel