Apache Camel security advisory: CVE-2026-46587

Severity

MEDIUM

Summary

Camel-Couchbase: Non-Camel-prefixed Exchange headers bypass HeaderFilterStrategy allowing operation override from untrusted input

Versions affected

From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Versions fixed

4.14.8, 4.18.3 and 4.21.0

Description

The camel-couchbase component reads several Exchange headers to control its behaviour - CCB_KEY (document key), CCB_ID (document id), CCB_TTL (document expiry), CCB_DDN (design document name) and CCB_VN (view name). The string values of these header constants, defined in CouchbaseConstants, are plain unprefixed names rather than the Camel-prefixed names used by every other Camel component (for example CamelSqlQuery, CamelMongoDbCriteria). Camel's inbound HTTP header filter, HttpHeaderFilterStrategy, blocks only header names that begin with Camel or camel. Because the Couchbase header names do not carry that prefix, they pass through the inbound filter unchanged. When a Camel route exposes an HTTP entry point (for example platform-http) in front of a couchbase producer, an untrusted HTTP client can set these headers directly on its request and override the document key, id, TTL, design document name or view name that the route author configured. No credentials are required when the HTTP consumer is unauthenticated.

Notes

The fix was merged on main in https://github.com/apache/camel/pull/23228 (commit d0dfa4e0ebd062acaf4a86ca476bb4305db9bfd4) and backported to camel-4.18.x in https://github.com/apache/camel/pull/23230 (commit 8d74cdca9befc74b49d9c52ac6a145be1d413e7d) and camel-4.14.x in https://github.com/apache/camel/pull/23231 (commit c16f7ef39849ae8819f50c959b538350b8f839e9). The issue is classified as CWE-20 (Improper Input Validation). It belongs to the same Camel message-header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46453 and CVE-2026-47323, all of which stem from Camel components reading inbound message headers that the default HeaderFilterStrategy does not block because the header names do not start with the Camel prefix. The fix shares its PR with the sibling advisory CVE-2026-46588 (camel-couchdb).

Mitigation

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix renames the camel-couchbase Exchange header constant string values (CCB_KEY, CCB_ID, CCB_TTL, CCB_DDN, CCB_VN) to carry the Camel prefix (CamelCouchbaseKey, CamelCouchbaseId, CamelCouchbaseTtl, CamelCouchbaseDesignDocumentName, CamelCouchbaseViewName) so that they are blocked by the inbound HttpHeaderFilterStrategy; the Java constant field names are unchanged. For deployments that cannot upgrade immediately, strip the affected headers from untrusted inbound messages before they reach the producer (for example removeHeader(‘CCB_KEY’), removeHeader(‘CCB_ID’), removeHeader(‘CCB_TTL’), removeHeader(‘CCB_DDN’) and removeHeader(‘CCB_VN’) in front of the couchbase endpoint), or apply a custom HeaderFilterStrategy that blocks these names.

Credit

This issue was discovered by Yu Bao from PayPal

References

PGP signed advisory data: CVE-2026-46587.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-46587