Apache Camel security advisory: CVE-2026-48205

Severity

MEDIUM

Summary

Camel-DNS: The dns.* and term Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect DNS queries to an attacker-controlled server (server-side request forgery) and enumerate internal hostnames

Versions affected

From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Versions fixed

4.14.8, 4.18.3 and 4.21.0

Description

The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a dns: producer, any HTTP client could therefore set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server - a server-side request forgery via DNS, through which the attacker observes the queried name and can return poisoned responses - and set the dns.name / dns.domain headers to resolve arbitrary internal hostnames, disclosing whether they exist (internal network reconnaissance). No credentials are required when the bridging consumer is unauthenticated.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23574 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23411 (commit bdd40cf23f2b22cd293ddad319069a7b3b3c6c70) and backported to camel-4.18.x (commit 29b18beaf1fb07276de909b8e19cd87f01e8abd9) and camel-4.14.x (commit a6d8a44684c0116531e70ad8eb8bb37bd5601e98). The fix renames the camel-dns Exchange header values to the Camel convention - dns.server to CamelDnsServer, dns.name to CamelDnsName, dns.domain to CamelDnsDomain, dns.type to CamelDnsType, dns.class to CamelDnsClass and term to CamelDnsTerm - so they are filtered on the HTTP boundary (and by other transport HeaderFilterStrategy implementations) like every other Camel control header. The Java field names are unchanged, so code referencing the constants keeps working; this is a breaking change for routes that set these headers by their raw string value (dns.* / term), which must be updated to the CamelDns* names, and bridge routes that supply the parameters from a sender-supplied header must now carry them in a non-Camel-prefixed application header and map them in the route (see the 4.21 upgrade guide). The issue is classified as CWE-20 (Improper Input Validation) and CWE-918 (Server-Side Request Forgery). It belongs to the same Camel header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46454 and CVE-2026-47323, and shares the non-Camel-prefixed-header-constant root cause with the camel-lucene QUERY, camel-cxf operationName and camel-solr SolrParam. siblings.

Mitigation

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For deployments that cannot upgrade immediately, strip the dns.* and term headers from any untrusted ingress before the dns: producer, and set the DNS server and lookup parameters from a trusted source in the route.

Credit

This issue was discovered by Yu Bao from PayPal

References

PGP signed advisory data: CVE-2026-48205.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-48205