Apache Camel security advisory: CVE-2026-45760

Severity

HIGH

Summary

Camel K Cross-Namespace Build Deputy Attack

Versions affected

This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.

Versions fixed

2.8.1, 2.9.2 and 2.10.1

Description

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.

Notes

The pull requests https://github.com/apache/camel-k/pull/6626 (2.10.x), https://github.com/apache/camel-k/pull/6627 (2.9.x) and https://github.com/apache/camel-k/pull/6629 (2.8.x) refer to the commits that resolved the issue, and have more details.

Mitigation

Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Credit

This issue was discovered by @j311yl0v3u (2439839508@qq.com) and @b0b0haha (603571786@qq.com)

References

PGP signed advisory data: CVE-2026-45760.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-45760
Edit this Page Back to top