Input Validation Flaw in Apache Camel Kafka Component Affects Data Integrity
CVE-2026-49098

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-49098?

The Apache Camel Kafka Component is susceptible to an input validation flaw that enables an attacker to manipulate the target Kafka topic at runtime. Specifically, the kafka.OVERRIDE_TOPIC header can be exploited to publish messages to arbitrary, potentially sensitive topics, bypassing predefined configurations. This vulnerability arises because the KafkaProducer evaluates the header value over the configured topic without adequate validation. In multi-component routes, unfiltered kafka.* headers can be injected, allowing unauthorized clients to overwrite key Kafka headers, including kafka.OVERRIDE_TIMESTAMP and kafka.PARTITION_KEY, thus enabling attackers to influence message timing and partitioning. To mitigate this issue, upgrading to version 4.21.0 or implementing header validation strategies is strongly recommended.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from PayPal
Andrea Cosentino
.