Input Validation Flaw in Apache Camel's Vertx Websocket Component Exposes Sensitive Data
CVE-2026-46726

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46726?

A vulnerability in the Vertx Websocket component of Apache Camel allows for improper input validation and exposes sensitive information to unauthorized actors. The issue arises when inbound WebSocket parameters are incorrectly mapped to the Camel Exchange header map without applying necessary header filtering. This misconfiguration permits attackers, through crafted WebSocket requests, to inject control headers that redirect server-side HTTP requests to unintended destinations, enabling Server-Side Request Forgery (SSRF). Additionally, sensitive data like environment variables and application properties may be resolved and exposed to the attacker. The vulnerability can be exploited by unauthenticated remote individuals if the WebSocket endpoint lacks authentication. It is recommended that users upgrade their systems to versions 4.21.0, 4.14.8, or 4.18.3 to mitigate the issue.

Affected Version(s)

Apache Camel Vertx Websocket 4.0.0 < 4.14.8

Apache Camel Vertx Websocket 4.15.0 < 4.18.3

Apache Camel Vertx Websocket 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kamalpreet Singh
Andrea Cosentino
.