CVE-2026-56139 Overview
CVE-2026-56139 is an information disclosure vulnerability in the Apache Camel Undertow component. The camel-undertow HTTP server consumer exposes a muteException option that defaulted to false, unlike other Camel HTTP consumers such as camel-http, camel-jetty, camel-servlet, and camel-platform-http, which default it to true. When a route processing error occurs, the consumer writes the full Java Throwable stack trace into the HTTP response body as text/plain. Any unauthenticated client that can reach the endpoint and trigger an error receives the complete stack trace. The flaw is classified as [CWE-209] Generation of Error Message Containing Sensitive Information.
Critical Impact
Unauthenticated remote attackers can obtain internal application details, including credentials embedded in exception messages, host names, IP addresses, filesystem paths, dependency versions, and class names, enabling reconnaissance for follow-on attacks.
Affected Products
- Apache Camel from 4.0.0 before 4.14.8
- Apache Camel from 4.15.0 before 4.18.3
- Apache Camel from 4.19.0 before 4.21.0
Discovery Timeline
- 2026-07-06 - CVE-2026-56139 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-56139
Vulnerability Analysis
The camel-undertow HTTP server consumer diverges from Camel's other HTTP consumer conventions. While camel-http, camel-jetty, camel-servlet, and camel-platform-http default muteException to true, the Undertow consumer defaulted it to false. When processing an inbound request triggers a Java exception, the consumer serializes the entire Throwable stack trace into the response body with a text/plain content type instead of returning an empty error body.
Stack traces exposed by this flaw can disclose credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and structural details of the application. Attackers use this data to enumerate the runtime environment, identify vulnerable dependencies, and plan targeted follow-on attacks.
A secondary defect worsens the exposure for Rest DSL consumers. The RestUndertowHttpBinding was instantiated with a hard-coded false for the mute flag. As a result, even administrators who explicitly set muteException=true still received full stack traces from Rest DSL endpoints until the fix was applied.
Root Cause
The root cause is an inconsistent secure default in the camel-undertow component combined with a hard-coded parameter in RestUndertowHttpBinding that ignored the operator-supplied configuration. Error handling logic emitted the raw stack trace rather than a sanitized response.
Attack Vector
Exploitation requires only network reachability to a Camel Undertow endpoint. An unauthenticated attacker sends a request designed to trigger a processing exception, such as a malformed request body, an invalid parameter, or input that causes a route-internal failure. The response returns the full Java stack trace, which the attacker parses to harvest sensitive internal details.
// No verified proof-of-concept code is published for CVE-2026-56139.
// Refer to the Apache Camel security advisory for technical details:
// https://camel.apache.org/security/CVE-2026-56139.html
Detection Methods for CVE-2026-56139
Indicators of Compromise
- HTTP responses from Camel Undertow endpoints containing java.lang. or at org.apache.camel patterns in text/plain bodies.
- Repeated malformed or invalid requests to Undertow-backed routes originating from a single source, indicative of error-triggering probes.
- Access log entries showing 4xx or 5xx responses with unusually large response bodies from Camel HTTP endpoints.
Detection Strategies
- Inspect outbound HTTP response bodies from Camel Undertow consumers for Java stack trace signatures such as Exception, Caused by:, or at java. frames.
- Audit deployed Camel versions against the affected ranges (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) using software composition analysis tools.
- Review Camel route configurations for the presence and value of the muteException property on undertow: endpoints.
Monitoring Recommendations
- Enable web application firewall (WAF) rules that flag or block responses containing Java stack trace patterns leaving the environment.
- Aggregate application error logs and alert on spikes in exception-generating requests to Undertow endpoints.
- Continuously monitor dependency inventories for outdated apache:camel artifacts across build pipelines and running workloads.
How to Mitigate CVE-2026-56139
Immediate Actions Required
- Upgrade Apache Camel to 4.21.0, or to 4.14.8 for the 4.14.x LTS stream, or to 4.18.3 for the 4.18.x stream.
- For deployments that cannot upgrade immediately, set muteException=true explicitly on every camel-undertow consumer endpoint.
- Audit all Rest DSL consumers backed by Undertow, since the workaround does not cover them on affected releases; only the patched version resolves that path.
Patch Information
Apache has released fixed versions 4.14.8, 4.18.3, and 4.21.0. Full remediation details are available in the Apache Camel Security Advisory and the Openwall OSS-Security Discussion.
Workarounds
- Set muteException=true on individual Undertow endpoints, for example undertow:http://0.0.0.0:8080/api?muteException=true.
- Apply the global property camel.component.undertow.mute-exception=true to enforce muted exceptions across all Undertow consumers.
- Deploy an upstream reverse proxy or WAF rule that strips or blocks response bodies containing Java stack traces until patching completes.
# Global Camel Undertow configuration to suppress stack traces in error responses
camel.component.undertow.mute-exception=true
# Or per-endpoint URI parameter
# undertow:http://0.0.0.0:8080/api?muteException=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

