Sensitive Information Exposure in Apache Camel Netty HTTP Component
CVE-2026-49365

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-49365?

A vulnerability exists in the Apache Camel Netty HTTP component, where error messages include sensitive internal information due to configuration settings. Specifically, the 'muteException' option defaults to false, leading to the exposure of detailed Java stack traces during processing errors. This oversight means that unauthenticated clients can receive sensitive data—such as internal hostnames, IP addresses, and application-specific details—when they cause an error, thus increasing the risk of further exploitation. It is crucial for users to upgrade to the latest version of Apache Camel to mitigate this risk or to set 'muteException=true' explicitly in their configurations.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from PayPal
Andrea Cosentino
.