Improper Input Validation and SSRF in Apache Camel's Atmosphere Websocket Component
CVE-2026-55993

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-55993?

A vulnerability in the Atmosphere Websocket Component of Apache Camel allows attackers to exploit improper input validation in inbound WebSocket queries. The absence of a HeaderFilterStrategy enables clients to inject control headers into the Camel Exchange. This results in potential server-side request forgery (SSRF) by redirecting HTTP requests to attacker-specified destinations. Furthermore, the HTTP producer processes Camel property placeholders on these tainted URIs, leading to the unauthorized disclosure of sensitive data, such as environment variables and application secrets. This vulnerability particularly impacts deployments with exposed WebSocket endpoints lacking authentication, making them targets for unauthorized actors.

Affected Version(s)

Apache Camel Atmosphere Websocket 4.0.0 < 4.14.8

Apache Camel Atmosphere Websocket 4.15.0 < 4.18.3

Apache Camel Atmosphere Websocket 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kamalpreet Singh
Andrea Cosentino
.