Apache Camel security advisory: CVE-2026-56139
Severity
MEDIUMSummary
Camel-Undertow: The muteException consumer option defaulted to false, so a processing error returned the full Java stack trace in the HTTP response body, disclosing sensitive internal information to unauthenticated clients - and the option was not honoured at all for Rest DSL consumersVersions affected
From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.Versions fixed
4.14.8, 4.18.3 and 4.21.0Description
The camel-undertow HTTP server consumer exposes a muteException option that controls what is returned to the client when a route processing error occurs. This option defaulted to false, whereas the other Camel HTTP server components (camel-http / camel-jetty / camel-servlet and camel-platform-http) default it to true. With muteException=false, when a request triggers an exception during route processing the consumer writes the full Throwable stack trace into the HTTP response body as text/plain instead of returning an empty body. Any unauthenticated client that can reach the endpoint and cause a processing error - for example by sending a malformed request body, an invalid parameter, or otherwise triggering a route-internal failure - therefore receives a complete Java stack trace. Such a stack trace can disclose sensitive internal information, including credentials embedded in exception messages, internal host names and IP addresses, filesystem paths, dependency and version details, database and class names, and the application's internal structure, which an attacker can use to plan further attacks. In addition, for Rest DSL consumers the muteException option was not honoured at all: the RestUndertowHttpBinding was created with a hard-coded false, so the stack trace was returned even when muteException=true had been configured.Notes
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23651 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23913 (commit 6cea553aa42ed1326ac57ad800d66674bc453932) and backported to camel-4.18.x (commit fdcf67a00470783ccb93b948883b6a4c5275aff5) and camel-4.14.x (commit b1badb58a407e4d16c8b6bba81650d4c68e55eaf). The fix aligns the muteException consumer-option default in camel-undertow with the other Camel HTTP server components, flipping it from false to true at both the component and endpoint levels, so a consumer-side processing failure returns an empty response body instead of the exception stack trace; the camel-undertow Rest DSL binding (RestUndertowHttpBinding) is also corrected to honour the configured muteException value (previously it was created with a hard-coded false, silently ignoring the option). This is a default-tightening behaviour change: muteException takes precedence over transferException, so routes that relied on receiving the exception (for example with transferException=true) on camel-undertow must now also set muteException=false explicitly (documented in the 4.21 upgrade guide as a potential breaking change). The issue is classified as CWE-209 (Generation of Error Message Containing Sensitive Information) and is an insecure-default information-exposure issue: camel-undertow defaulted muteException to false, while camel-http / camel-jetty / camel-servlet and camel-platform-http default it to true. The same insecure default in camel-netty-http is addressed separately in CVE-2026-49365, and the two advisories share the same fix (CAMEL-23651).
Mitigation
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, set muteException=true explicitly on the camel-undertow consumer (for example undertow:http://0.0.0.0:8080/api?muteException=true, or globally via the camel.component.undertow.mute-exception=true property), so that processing errors no longer return the stack trace to the client; note that on affected releases this workaround does not cover Rest DSL consumers, whose binding ignores the option until the fix is applied.Credit
This issue was discovered by Yu Bao from PayPalReferences
- PGP signed advisory data: CVE-2026-56139.txt.asc
- Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-56139