Apache Camel security advisory: CVE-2026-49097
Severity
MEDIUMSummary
Camel-IRC: The irc.sendTo (and other irc.*) Exchange header constants used non-Camel-prefixed names that bypass the HTTP header filter, allowing an HTTP client to redirect outgoing IRC messages to arbitrary channels or usersVersions affected
From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.Versions fixed
4.14.8, 4.18.3 and 4.21.0Description
The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into an irc: producer, any HTTP client could therefore set the irc.sendTo header and redirect a message that the route intended for a configured channel to an arbitrary IRC channel or user - exfiltrating the message content to an attacker-chosen nickname, leaking it into a public channel, or delivering messages that appear to come from the bot. No credentials are required when the bridging consumer is unauthenticated.Notes
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23629 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23594 (commit 0be886bf433c718abe4a27498245f6898366fb0c) and backported to camel-4.18.x (commit 2959633a6dd51a9736a9efaedaa843548fcd2d3e) and camel-4.14.x (commit 18b64b47fda68b15f4eb9f7ce8148c8b9ec819a0). The fix renames the 10 camel-irc Exchange header constant values to the CamelIrc* convention (for example irc.sendTo to CamelIrcSendTo and irc.target to CamelIrcTarget), so they are filtered on the HTTP boundary like every other Camel control header. The Java field names are unchanged, so code referencing the constants keeps working; this is a breaking change for routes that set these headers by their raw string value (irc.), which must be updated to the CamelIrc names (see the 4.21 upgrade guide). The camel-irc component is deprecated as of 4.21.0. The issue is classified as CWE-20 (Improper Input Validation) and CWE-74 (Improper Neutralization of Special Elements). It belongs to the same Camel header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46454 and CVE-2026-47323, and shares the non-Camel-prefixed-header-constant root cause with the camel-cxf operationName, camel-solr SolrParam. and camel-mongodb-gridfs gridfs.* siblings.
Mitigation
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the irc.* headers from any untrusted ingress before the irc: producer (for example removeHeaders(‘irc.*’) at the start of the route), and set the IRC destination from a trusted source.Credit
This issue was discovered by Yu Bao from PayPalReferences
- PGP signed advisory data: CVE-2026-49097.txt.asc
- Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-49097