PT-2026-55911 · Apache · Apache Camel
Andrea Cosentino
+1
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-56139
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Apache Camel versions 4.0.0 through 4.14.7
Apache Camel versions 4.15.0 through 4.18.2
Apache Camel versions 4.19.0 through 4.20.9
Description
The camel-undertow HTTP server consumer contains an issue where the
muteException option defaults to false. When this option is false, any request that triggers an exception during route processing causes the consumer to write the full Java Throwable stack trace into the HTTP response body as text/plain. This allows unauthenticated clients to obtain sensitive internal information, such as embedded credentials, internal hostnames, IP addresses, filesystem paths, dependency versions, and database names. Additionally, for Rest DSL consumers, the muteException option is ignored because the RestUndertowHttpBinding uses a hard-coded false value, ensuring the stack trace is returned regardless of the configuration.Recommendations
Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8.
Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3.
Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0.
As a temporary mitigation for non-Rest DSL consumers, explicitly set
muteException=true on the camel-undertow consumer or globally via the camel.component.undertow.mute-exception=true property.Generation of Error Message Containing Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Camel