CVE-2026-46585 Overview
CVE-2026-46585 is an improper input validation and authorization bypass vulnerability in the Apache Camel Lucene Component. The camel-lucene producer reads its search phrase from an Exchange header whose raw name (QUERY) does not carry the Camel/camel prefix. Because HttpHeaderFilterStrategy filters only headers within the Camel namespace, attacker-supplied QUERY headers pass through HTTP consumers such as platform-http directly into the Exchange. An unauthenticated remote client can override the intended Lucene query, retrieve documents outside its authorization scope, or execute expensive regular-expression queries.
Critical Impact
Unauthenticated attackers can override server-side Lucene queries through HTTP headers, exposing indexed documents and enabling CPU-exhaustion via regex queries against exposed Camel routes.
Affected Products
- Apache Camel 4.0.0 through 4.14.7
- Apache Camel 4.15.0 through 4.18.2
- Apache Camel 4.19.0 through 4.20.x
Discovery Timeline
- 2026-07-06 - CVE-2026-46585 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-46585
Vulnerability Analysis
The camel-lucene producer sources its search phrase from the Exchange header LuceneConstants.HEADER_QUERY, which resolves to the plain string QUERY. The same pattern applies to RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS. Neither name uses the Camel or camel prefix that Camel's HTTP header filter treats as internal.
When a route exposes Lucene behind an HTTP consumer such as platform-http, HttpHeaderFilterStrategy allows these raw header names to cross the HTTP boundary. The attacker-supplied header value reaches the Lucene producer and replaces the query the route intended to execute. The classification aligns with [CWE-20] Improper Input Validation.
Root Cause
The root cause lies in the mismatch between Camel's header-filter policy and the constants used by the Lucene component. HttpHeaderFilterStrategy blocks only headers in the Camel-prefixed namespace on the HTTP boundary. Because QUERY and RETURN_LUCENE_DOCS do not carry that prefix, inbound HTTP headers bearing those names are trusted as internal Exchange state.
Attack Vector
An unauthenticated remote attacker sends an HTTP request to a Camel route that fronts a camel-lucene producer. The request includes a QUERY header controlled by the attacker. Camel forwards the header into the Exchange, and the Lucene producer executes the injected phrase against the full-text index. A match-all query returns every indexed document, bypassing any per-user filter the route intended to apply. A crafted regular-expression query drives sustained CPU consumption on the Camel host.
The vulnerability manifests through header injection over HTTP. Refer to the Apache Camel CVE-2026-46585 Advisory for the vendor's technical description.
Detection Methods for CVE-2026-46585
Indicators of Compromise
- Inbound HTTP requests to Camel endpoints containing a QUERY or RETURN_LUCENE_DOCS header from untrusted clients.
- Sudden spikes in Lucene query volume or unusually broad result sets returned from routes fronting camel-lucene.
- Sustained CPU usage in the Camel JVM tied to Lucene regex query evaluation.
Detection Strategies
- Inspect access logs for HTTP requests carrying QUERY or RETURN_LUCENE_DOCS headers and correlate with routes that use camel-lucene.
- Enable Camel route tracing to record header values delivered to Lucene producers and flag values that differ from the route's constant query.
- Deploy WAF or reverse-proxy rules that log and block requests containing these unprefixed header names.
Monitoring Recommendations
- Track Lucene query latency and result-set size per route and alert on statistical deviations.
- Monitor JVM CPU and thread state on Camel workers to identify runaway regex evaluation.
- Baseline HTTP header sets received by each Camel HTTP consumer and alert on unexpected header names.
How to Mitigate CVE-2026-46585
Immediate Actions Required
- Upgrade Apache Camel to 4.21.0 on current releases, 4.18.3 on the 4.18.x stream, or 4.14.8 on the 4.14.x LTS stream.
- Update route code so query values are set using the prefixed header names CamelLuceneQuery and CamelLuceneReturnLuceneDocs.
- Audit all routes that combine an HTTP consumer with camel-lucene and confirm queries originate from trusted sources.
Patch Information
Apache has released fixed versions 4.14.8, 4.18.3, and 4.21.0. The patched releases move the Lucene header names into the Camel-prefixed namespace so that HttpHeaderFilterStrategy blocks attacker-supplied values at the HTTP boundary. Details are available in the Apache Camel CVE-2026-46585 Advisory and in the OpenWall OSS-Security Discussion.
Workarounds
- Strip the vulnerable headers at the start of every affected route using removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS').
- Set the Lucene query from a trusted, server-side source such as setHeader('QUERY', constant(...)) after the removal step.
- Place an authenticating reverse proxy or WAF in front of exposed Camel HTTP consumers and reject requests carrying the raw QUERY or RETURN_LUCENE_DOCS headers.
# Configuration example
# Route-level workaround for Camel deployments that cannot upgrade immediately
from("platform-http:/search")
.removeHeader("QUERY")
.removeHeader("RETURN_LUCENE_DOCS")
.setHeader("QUERY", constant("trustedServerSideQuery"))
.to("lucene:searchIndex?operation=query");
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

