Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46585

CVE-2026-46585: Apache Camel Auth Bypass Vulnerability

CVE-2026-46585 is an authorization bypass flaw in Apache Camel Lucene Component that allows attackers to execute unauthorized queries and access restricted documents. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-46585 Overview

CVE-2026-46585 is an improper input validation and authorization bypass vulnerability in the Apache Camel Lucene Component. The camel-lucene producer reads its search phrase from an Exchange header whose raw name (QUERY) does not carry the Camel/camel prefix. Because HttpHeaderFilterStrategy filters only headers within the Camel namespace, attacker-supplied QUERY headers pass through HTTP consumers such as platform-http directly into the Exchange. An unauthenticated remote client can override the intended Lucene query, retrieve documents outside its authorization scope, or execute expensive regular-expression queries.

Critical Impact

Unauthenticated attackers can override server-side Lucene queries through HTTP headers, exposing indexed documents and enabling CPU-exhaustion via regex queries against exposed Camel routes.

Affected Products

  • Apache Camel 4.0.0 through 4.14.7
  • Apache Camel 4.15.0 through 4.18.2
  • Apache Camel 4.19.0 through 4.20.x

Discovery Timeline

  • 2026-07-06 - CVE-2026-46585 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-46585

Vulnerability Analysis

The camel-lucene producer sources its search phrase from the Exchange header LuceneConstants.HEADER_QUERY, which resolves to the plain string QUERY. The same pattern applies to RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS. Neither name uses the Camel or camel prefix that Camel's HTTP header filter treats as internal.

When a route exposes Lucene behind an HTTP consumer such as platform-http, HttpHeaderFilterStrategy allows these raw header names to cross the HTTP boundary. The attacker-supplied header value reaches the Lucene producer and replaces the query the route intended to execute. The classification aligns with [CWE-20] Improper Input Validation.

Root Cause

The root cause lies in the mismatch between Camel's header-filter policy and the constants used by the Lucene component. HttpHeaderFilterStrategy blocks only headers in the Camel-prefixed namespace on the HTTP boundary. Because QUERY and RETURN_LUCENE_DOCS do not carry that prefix, inbound HTTP headers bearing those names are trusted as internal Exchange state.

Attack Vector

An unauthenticated remote attacker sends an HTTP request to a Camel route that fronts a camel-lucene producer. The request includes a QUERY header controlled by the attacker. Camel forwards the header into the Exchange, and the Lucene producer executes the injected phrase against the full-text index. A match-all query returns every indexed document, bypassing any per-user filter the route intended to apply. A crafted regular-expression query drives sustained CPU consumption on the Camel host.

The vulnerability manifests through header injection over HTTP. Refer to the Apache Camel CVE-2026-46585 Advisory for the vendor's technical description.

Detection Methods for CVE-2026-46585

Indicators of Compromise

  • Inbound HTTP requests to Camel endpoints containing a QUERY or RETURN_LUCENE_DOCS header from untrusted clients.
  • Sudden spikes in Lucene query volume or unusually broad result sets returned from routes fronting camel-lucene.
  • Sustained CPU usage in the Camel JVM tied to Lucene regex query evaluation.

Detection Strategies

  • Inspect access logs for HTTP requests carrying QUERY or RETURN_LUCENE_DOCS headers and correlate with routes that use camel-lucene.
  • Enable Camel route tracing to record header values delivered to Lucene producers and flag values that differ from the route's constant query.
  • Deploy WAF or reverse-proxy rules that log and block requests containing these unprefixed header names.

Monitoring Recommendations

  • Track Lucene query latency and result-set size per route and alert on statistical deviations.
  • Monitor JVM CPU and thread state on Camel workers to identify runaway regex evaluation.
  • Baseline HTTP header sets received by each Camel HTTP consumer and alert on unexpected header names.

How to Mitigate CVE-2026-46585

Immediate Actions Required

  • Upgrade Apache Camel to 4.21.0 on current releases, 4.18.3 on the 4.18.x stream, or 4.14.8 on the 4.14.x LTS stream.
  • Update route code so query values are set using the prefixed header names CamelLuceneQuery and CamelLuceneReturnLuceneDocs.
  • Audit all routes that combine an HTTP consumer with camel-lucene and confirm queries originate from trusted sources.

Patch Information

Apache has released fixed versions 4.14.8, 4.18.3, and 4.21.0. The patched releases move the Lucene header names into the Camel-prefixed namespace so that HttpHeaderFilterStrategy blocks attacker-supplied values at the HTTP boundary. Details are available in the Apache Camel CVE-2026-46585 Advisory and in the OpenWall OSS-Security Discussion.

Workarounds

  • Strip the vulnerable headers at the start of every affected route using removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS').
  • Set the Lucene query from a trusted, server-side source such as setHeader('QUERY', constant(...)) after the removal step.
  • Place an authenticating reverse proxy or WAF in front of exposed Camel HTTP consumers and reject requests carrying the raw QUERY or RETURN_LUCENE_DOCS headers.
bash
# Configuration example
# Route-level workaround for Camel deployments that cannot upgrade immediately
from("platform-http:/search")
    .removeHeader("QUERY")
    .removeHeader("RETURN_LUCENE_DOCS")
    .setHeader("QUERY", constant("trustedServerSideQuery"))
    .to("lucene:searchIndex?operation=query");

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.