Apache Camel security advisory: CVE-2026-48206

Severity

MEDIUM

Summary

Camel-JIRA: A set of non-Camel-prefixed Exchange header constants (IssueKey, ProjectKey, IssueTransitionId, ...) bypass the HTTP header filter, allowing an HTTP client to drive arbitrary JIRA issue operations using the endpoint's configured credentials

Versions affected

From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Versions fixed

4.14.8, 4.18.3 and 4.21.0

Description

The camel-jira producers read their operation parameters - the issue key, project key, transition id, summary, type, assignee, components, watchers, link type, work-log minutes and others - from Exchange message headers. The header constants defined in JiraConstants (for example ISSUE_KEY = IssueKey, ISSUE_PROJECT_KEY = ProjectKey, ISSUE_TRANSITION_ID = IssueTransitionId, LINK_TYPE = linkType) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a jira: producer, any HTTP client could therefore supply these headers and override the values the route intended, driving JIRA operations against the configured JIRA instance with the endpoint's configured service-account credentials - for example deleting or transitioning an arbitrary issue (via IssueKey / IssueTransitionId), creating an issue in a different project (via ProjectKey), modifying issue fields, adding or removing watchers, or logging work. The operations are bounded by what the configured service account is permitted to do. No credentials are required from the attacker when the bridging consumer is unauthenticated.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23576 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23417 (commit 3240a174a3707ba2b1d893c4ac0880829e0c9233) and backported to camel-4.18.x (commit 024704f95f16d1260304054088fa0b34acb57ebf) and camel-4.14.x (commit 6863ea624605ab3fa8827c43a4c5df333f767dc4). The fix renames the camel-jira Exchange header constant values to the CamelJira* convention (for example IssueKey to CamelJiraIssueKey), so they are filtered on the HTTP boundary like every other Camel control header. The Java field names are unchanged, so code referencing the constants keeps working; this is a breaking change for routes that set these headers by their raw string value, which must be updated to the CamelJira* names, and the Endpoint DSL accessors are renamed accordingly (issueKey() to jiraIssueKey(), etc.; see the 4.21 upgrade guide). The issue is classified as CWE-20 (Improper Input Validation) and CWE-639 (Authorization Bypass Through User-Controlled Key). It belongs to the same Camel header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46454 and CVE-2026-47323, and shares the non-Camel-prefixed-header-constant root cause with the camel-cxf operationName, camel-solr SolrParam. and camel-mongodb-gridfs gridfs.* siblings.

Mitigation

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive JIRA operations via the raw header names must use the CamelJira* names (for example CamelJiraIssueKey) instead of the old values. For deployments that cannot upgrade immediately, strip the camel-jira control headers from any untrusted ingress before the jira: producer (for example removing the IssueKey, ProjectKey, IssueTransitionId and related headers at the start of the route), and set the required JIRA operation parameters from a trusted source.

Credit

This issue was discovered by Yu Bao from PayPal

References

PGP signed advisory data: CVE-2026-48206.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-48206