Improper Input Validation in Apache Camel ElasticSearch Rest Client
CVE-2026-46453
What is CVE-2026-46453?
The ElasticSearch Rest Client component of Apache Camel is vulnerable to improper input validation, leading to potential authorization bypass. It allows untrusted HTTP clients to manipulate several Exchange headers that control the component’s behavior, such as SEARCH_QUERY and OPERATION, without requiring any authentication. This can result in unauthorized operations, including reading all index documents or deleting specific records. The vulnerability stems from the lack of a prefix for these headers, circumventing the normal security checks in Apache Camel, which blocks headers that start with 'Camel'. To mitigate this issue, it is crucial for users to upgrade to the latest versions or implement a filtering strategy to remove these vulnerable headers from incoming requests.
Affected Version(s)
Apache Camel 4.3.0 < 4.14.8
Apache Camel 4.15.0 < 4.18.3
Apache Camel 4.19.0 < 4.21.0