Improper Input Validation in Apache Camel ElasticSearch Rest Client
CVE-2026-46453

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46453?

The ElasticSearch Rest Client component of Apache Camel is vulnerable to improper input validation, leading to potential authorization bypass. It allows untrusted HTTP clients to manipulate several Exchange headers that control the component’s behavior, such as SEARCH_QUERY and OPERATION, without requiring any authentication. This can result in unauthorized operations, including reading all index documents or deleting specific records. The vulnerability stems from the lack of a prefix for these headers, circumventing the normal security checks in Apache Camel, which blocks headers that start with 'Camel'. To mitigate this issue, it is crucial for users to upgrade to the latest versions or implement a filtering strategy to remove these vulnerable headers from incoming requests.

Affected Version(s)

Apache Camel 4.3.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from Paypal
.