Improper Input Validation Vulnerability in Apache Camel's DAPR Component
CVE-2026-49086

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-49086?

A vulnerability exists in Apache Camel's DAPR component, specifically in the Dapr Pub/Sub consumer. This flaw arises from improper input validation, allowing an attacker with publishing rights to manipulate CloudEvent headers, namely the pub/sub component name and topic. By doing so, they can redirect or exfiltrate messages to unintended Dapr Pub/Sub components, thereby bypassing established routing protocols and topic-level access controls. Without the need for user authentication or interaction, this vulnerability poses a significant risk to message integrity and confidentiality. Users are advised to upgrade to the secure versions 4.21.0 or 4.14.8, with interim mitigation strategies including header removal and restricting publish capabilities to trusted entities.

Affected Version(s)

Apache Camel Dapr 4.12.0 < 4.14.8

Apache Camel Dapr 4.15.0 < 4.18.3

Apache Camel Dapr 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Leon Zlobecki
Andrea Cosentino
.