Server-Side Request Forgery and Information Exposure in Apache Camel's Iggy Component
CVE-2026-55994
What is CVE-2026-55994?
In the Apache Camel framework, the Iggy component has a vulnerability that allows unauthorized actors to exploit improper input validation, resulting in Server-Side Request Forgery (SSRF) and exposure of sensitive information. The issue arises as the Iggy component does not filter Camel-internal control headers when mapping user-defined headers into the Camel Exchange header map. Attackers can craft malicious messages that include control headers, redirecting server-side HTTP requests to arbitrary destinations. Consequently, sensitive environment variables and application properties can be disclosed, as these values are resolved in the application's context. Immediate remediation involves upgrading to Apache Camel version 4.21.0 or 4.18.3, integrating header-filtering strategies, or implementing strict access controls to message publishing.
Affected Version(s)
Apache Camel Iggy 4.17.0 < 4.18.3
Apache Camel Iggy 4.19.0 < 4.21.0