Sensitive Information Exposure in Apache Camel Netty HTTP Component
CVE-2026-49365
What is CVE-2026-49365?
A vulnerability exists in the Apache Camel Netty HTTP component, where error messages include sensitive internal information due to configuration settings. Specifically, the 'muteException' option defaults to false, leading to the exposure of detailed Java stack traces during processing errors. This oversight means that unauthenticated clients can receive sensitive data—such as internal hostnames, IP addresses, and application-specific details—when they cause an error, thus increasing the risk of further exploitation. It is crucial for users to upgrade to the latest version of Apache Camel to mitigate this risk or to set 'muteException=true' explicitly in their configurations.
Affected Version(s)
Apache Camel 4.0.0 < 4.14.8
Apache Camel 4.15.0 < 4.18.3
Apache Camel 4.19.0 < 4.21.0