CVE-2026-49365 Overview
CVE-2026-49365 is an information disclosure vulnerability in the Apache Camel Netty HTTP component. The camel-netty-http HTTP server consumer returns full Java stack traces to unauthenticated clients when route processing errors occur. This happens because the muteException option defaults to false, unlike other Camel HTTP server components. Attackers who reach the endpoint can trigger errors with malformed requests and receive complete exception details. Disclosed information can include credentials in exception messages, internal host names, IP addresses, filesystem paths, dependency versions, database identifiers, and class names. The flaw is tracked under [CWE-209] and affects Apache Camel versions 4.0.0 through 4.21.0 across multiple release streams.
Critical Impact
Unauthenticated network attackers can retrieve Java stack traces exposing credentials, internal infrastructure details, and application structure to plan follow-on attacks.
Affected Products
- Apache Camel 4.0.0 before 4.14.8 (LTS stream)
- Apache Camel 4.15.0 before 4.18.3
- Apache Camel 4.19.0 before 4.21.0
Discovery Timeline
- 2026-07-06 - CVE-2026-49365 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-49365
Vulnerability Analysis
The vulnerability resides in the camel-netty-http HTTP server consumer implementation. When a request triggers an exception during route processing, the consumer writes the full Throwable stack trace into the HTTP response body as text/plain content. The DefaultNettyHttpBinding class performs this serialization instead of returning an empty response body. Any unauthenticated client that can reach the endpoint can force this behavior by sending malformed request bodies or invalid parameters.
Exposed stack traces reveal sensitive runtime information. Attackers gain visibility into internal host names, IP addresses, filesystem paths, dependency versions, database schemas, and application class hierarchies. Credentials embedded in exception messages may also leak through this channel. This reconnaissance data supports targeted follow-on attacks against internal infrastructure.
Root Cause
The root cause is an inconsistent default value across Camel HTTP server components. The muteException field in camel-netty-http is an uninitialized primitive Java boolean, defaulting to false. Sibling components including camel-http, camel-jetty, camel-servlet, and camel-platform-http explicitly initialize this field to true. This inconsistency caused Netty-based HTTP endpoints to leak diagnostic detail that other Camel transports suppress by default.
Attack Vector
Exploitation requires only network access to the exposed Netty HTTP endpoint. An attacker sends a request crafted to trigger a route-internal failure. Common triggers include malformed JSON or XML bodies, invalid query parameters, or values that violate downstream processor expectations. The server responds with a text/plain body containing the complete Java stack trace. No authentication, user interaction, or elevated privileges are required.
The vulnerability manifests through the response handling path in DefaultNettyHttpBinding. See the Apache Camel CVE-2026-49365 Advisory for component-level technical details.
Detection Methods for CVE-2026-49365
Indicators of Compromise
- HTTP responses from Netty-based Camel endpoints containing text/plain bodies with Java stack trace patterns such as at org.apache.camel... or Caused by:
- Access logs showing repeated malformed requests against camel-netty-http consumer endpoints from a single source
- Outbound reconnaissance activity following exposure of internal host names or paths in error responses
Detection Strategies
- Inspect HTTP response bodies from Camel Netty endpoints for stack trace signatures and Java exception class names
- Audit deployed Camel applications and identify components using netty-http: URIs without an explicit muteException=true setting
- Correlate 4xx and 5xx response volume spikes with response payload sizes larger than typical error messages
Monitoring Recommendations
- Enable request and response logging on Camel Netty HTTP consumers and forward events to a centralized log platform
- Alert on responses containing regex matches for java.lang. or org.apache.camel. exception prefixes returning to external clients
- Track version inventory for Apache Camel deployments to identify hosts running affected releases below 4.14.8, 4.18.3, or 4.21.0
How to Mitigate CVE-2026-49365
Immediate Actions Required
- Inventory all Apache Camel deployments and identify routes using the camel-netty-http component
- Set muteException=true on every affected consumer endpoint as an immediate configuration change
- Restrict network access to Camel Netty HTTP endpoints to trusted clients while patching is in progress
- Rotate any credentials that may have appeared in application exception messages during the exposure window
Patch Information
Upgrade to Apache Camel 4.21.0, which fixes the issue. Users on the 4.14.x LTS stream should upgrade to 4.14.8. Users on the 4.18.x stream should upgrade to 4.18.3. Refer to the Apache Camel CVE-2026-49365 Advisory for the complete patch matrix and the OpenWall OSS-Security Discussion for additional context.
Workarounds
- Set muteException=true directly on the endpoint URI, for example netty-http:http://0.0.0.0:8080/api?muteException=true
- Apply the setting globally via the property camel.component.netty-http.configuration.mute-exception=true
- Add a Camel onException clause that returns a sanitized generic error response and suppresses the original throwable body
# Configuration example - global property for camel-netty-http
camel.component.netty-http.configuration.mute-exception=true
# Endpoint-level configuration
# netty-http:http://0.0.0.0:8080/api?muteException=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

