Apache Camel security advisory: CVE-2026-48204

Severity

MEDIUM

Summary

Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to switch the GridFS operation - including destructive file deletion - in the default configuration

Versions affected

From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Versions fixed

4.14.8, 4.18.3 and 4.21.0

Description

The camel-mongodb-gridfs producer selects the GridFS operation to perform from the gridfs.operation Exchange header when the endpoint's operation parameter is not set - which is the default. The control-header constants (GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and gridfs.fileid. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a mongodb-gridfs: producer with no explicit operation, any HTTP client could therefore set the gridfs.operation header to override the route's intended operation - switching, for example, a file upload to remove (deleting a file identified by the attacker-supplied gridfs.objectid), listAll (enumerating every file in the bucket) or findOne (reading a file) - and supply a gridfs.metadata value that is parsed as a MongoDB document, enabling NoSQL operator injection. No credentials are required when the bridging consumer is unauthenticated.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23575 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23413 (commit 8f0b1acfb89867bc28805d8281fa5c70192e2122) and backported to camel-4.18.x (commit 054d0c1e6c63f06b1a890c93f24115ee9bd110a8) and camel-4.14.x (commit 9915ad461dad8f5073782f643557bf1e7ae3bc31). The fix renames the camel-mongodb-gridfs Exchange header values to the Camel convention - gridfs.operation to CamelGridFsOperation, gridfs.objectid to CamelGridFsObjectId, gridfs.metadata to CamelGridFsMetadata, gridfs.chunksize to CamelGridFsChunkSize and gridfs.fileid to CamelGridFsFileId - bringing the component in line with the parent camel-mongodb component (CamelMongoDbOperation), so the operation-control headers are now filtered on the HTTP boundary like every other Camel control header and can no longer be supplied by an untrusted HTTP client. The Java field names are unchanged, so code referencing the constants keeps working; this is a breaking change for routes that set these headers by their raw string value (gridfs.), which must be updated to the CamelGridFs names, and the Endpoint DSL accessors are renamed accordingly (see the 4.21 upgrade guide). The issue is classified as CWE-20 (Improper Input Validation) and CWE-284 (Improper Access Control). It belongs to the same Camel header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46454 and CVE-2026-47323, and shares the non-Camel-prefixed-header-constant root cause with the camel-lucene QUERY, camel-cxf operationName and camel-solr SolrParam. siblings.

Mitigation

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or metadata via the raw header names must use CamelGridFsOperation / CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / CamelGridFsFileId instead of the gridfs.* names. For deployments that cannot upgrade immediately, set an explicit operation on the mongodb-gridfs: endpoint so the operation is not taken from a header, and strip the gridfs.* headers from any untrusted ingress before the producer.

Credit

This issue was discovered by Yu Bao from PayPal

References

PGP signed advisory data: CVE-2026-48204.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-48204