Sensitive Information Disclosure in Apache Camel Undertow Component
CVE-2026-56139

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-56139?

The Apache Camel Undertow Component contains a vulnerability that allows unauthorized clients to receive detailed error messages, including Java stack traces, during route processing failures. This occurs due to a misconfiguration of the muteException option, which defaults to false. This can lead to the exposure of sensitive information such as internal hostnames, IP addresses, and application-specific credentials. Notably, the Rest DSL consumers ignore this configuration entirely, further exposing internal system details. To mitigate risks, users are advised to upgrade to the latest versions or explicitly set muteException=true.

Affected Version(s)

Apache Camel Undertow 4.0.0 < 4.14.8

Apache Camel Undertow 4.15.0 < 4.18.3

Apache Camel Undertow 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from PayPal
Andrea Cosentino
.