Improper Input Validation Vulnerability in Apache Camel NATS Component
CVE-2026-46457

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46457?

An improper input validation issue exists in the NATS component of Apache Camel, affecting versions 4.0.0 to 4.14.7, 4.15.0 to 4.18.2, and 4.19.0 to 4.20.9. This flaw allows clients capable of publishing to specific NATS subjects to inject arbitrary Camel control headers, which can manipulate the behavior of downstream message producers. As these injected headers persist across multiple internal hops, they pose significant risks, enabling potential redirection of HTTP requests, alteration of file names, or overriding of SQL queries. Successful exploitation of this vulnerability can have a severe impact depending on the specific configurations of the downstream producers. It is crucial for users to upgrade to version 4.21.0 or, if on the LTS release streams, to 4.14.8 or 4.18.3 to remediate this issue.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from PayPal
.