Improper Input Validation Vulnerability in Apache Camel's DAPR Component
CVE-2026-49086
What is CVE-2026-49086?
A vulnerability exists in Apache Camel's DAPR component, specifically in the Dapr Pub/Sub consumer. This flaw arises from improper input validation, allowing an attacker with publishing rights to manipulate CloudEvent headers, namely the pub/sub component name and topic. By doing so, they can redirect or exfiltrate messages to unintended Dapr Pub/Sub components, thereby bypassing established routing protocols and topic-level access controls. Without the need for user authentication or interaction, this vulnerability poses a significant risk to message integrity and confidentiality. Users are advised to upgrade to the secure versions 4.21.0 or 4.14.8, with interim mitigation strategies including header removal and restricting publish capabilities to trusted entities.
Affected Version(s)
Apache Camel Dapr 4.12.0 < 4.14.8
Apache Camel Dapr 4.15.0 < 4.18.3
Apache Camel Dapr 4.19.0 < 4.21.0