Improper Input Validation and SSRF in Apache Camel's Atmosphere Websocket Component
CVE-2026-55993
What is CVE-2026-55993?
A vulnerability in the Atmosphere Websocket Component of Apache Camel allows attackers to exploit improper input validation in inbound WebSocket queries. The absence of a HeaderFilterStrategy enables clients to inject control headers into the Camel Exchange. This results in potential server-side request forgery (SSRF) by redirecting HTTP requests to attacker-specified destinations. Furthermore, the HTTP producer processes Camel property placeholders on these tainted URIs, leading to the unauthorized disclosure of sensitive data, such as environment variables and application secrets. This vulnerability particularly impacts deployments with exposed WebSocket endpoints lacking authentication, making them targets for unauthorized actors.
Affected Version(s)
Apache Camel Atmosphere Websocket 4.0.0 < 4.14.8
Apache Camel Atmosphere Websocket 4.15.0 < 4.18.3
Apache Camel Atmosphere Websocket 4.19.0 < 4.21.0