PT-2026-55911 · Apache · Apache Camel

Andrea Cosentino

+1

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-56139

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9
Description The camel-undertow HTTP server consumer contains an issue where the muteException option defaults to false. When this option is false, any request that triggers an exception during route processing causes the consumer to write the full Java Throwable stack trace into the HTTP response body as text/plain. This allows unauthenticated clients to obtain sensitive internal information, such as embedded credentials, internal hostnames, IP addresses, filesystem paths, dependency versions, and database names. Additionally, for Rest DSL consumers, the muteException option is ignored because the RestUndertowHttpBinding uses a hard-coded false value, ensuring the stack trace is returned regardless of the configuration.
Recommendations Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8. Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3. Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0. As a temporary mitigation for non-Rest DSL consumers, explicitly set muteException=true on the camel-undertow consumer or globally via the camel.component.undertow.mute-exception=true property.

Generation of Error Message Containing Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56139

Affected Products

Apache Camel