Improper Input Validation in Apache Camel's Lucene Component
CVE-2026-46585
Currently unrated
What is CVE-2026-46585?
The Apache Camel Lucene Component is susceptible to an improper input validation and authorization bypass vulnerability. This flaw occurs when the camel-lucene producer processes input headers that are not properly filtered due to missing Camel prefix checks, allowing any HTTP client to manipulate the QUERY and RETURN_LUCENE_DOCS headers. Consequently, malicious users can execute unauthorized Lucene queries against the service’s full-text index, potentially exposing sensitive documents or consuming excessive CPU resources. The recommended mitigation involves upgrading to secure versions and adjusting header handling in routes.
Affected Version(s)
Apache Camel Lucene 4.0.0 < 4.14.8
Apache Camel Lucene 4.15.0 < 4.18.3
Apache Camel Lucene 4.19.0 < 4.21.0