Apache Camel security advisory: CVE-2026-49365

Severity

MEDIUM

Summary

Camel-Netty-HTTP: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients

Versions affected

From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Versions fixed

4.14.8, 4.18.3 and 4.21.0

Description

The camel-netty-http HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false because the backing field was an uninitialised primitive boolean (Java's default of false), whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain (via DefaultNettyHttpBinding) instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException consumer-option default in camel-netty-http with the other Camel HTTP server components, flipping it from false to true at both the component and endpoint levels, so a consumer-side processing failure returns an empty response body instead of the exception stack trace. This is a default-tightening behaviour change: muteException takes precedence over transferException, so routes that relied on receiving the exception (for example with transferException=true) on camel-netty-http must now also set muteException=false explicitly (documented in the 4.21 upgrade guide as a potential breaking change). The issue is classified as CWE-209 (Generation of Error Message Containing Sensitive Information) and is an insecure-default information-exposure issue: camel-netty-http defaulted muteException to false (the backing field was an uninitialised primitive boolean), while camel-http / camel-jetty / camel-servlet and camel-platform-http default it to true. The same insecure default in camel-undertow is addressed separately in CVE-2026-56139, and the two advisories share the same fix (CAMEL-23651).

Mitigation

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-netty-http consumer (for example netty-http:http://0.0.0.0:8080/api?muteException=true, or globally via the camel.component.netty-http.configuration.mute-exception=true property), so that processing errors no longer return the stack trace to the client.

Credit

This issue was discovered by Yu Bao from PayPal

References

PGP signed advisory data: CVE-2026-49365.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-49365