Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-mongodb-gridfs) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-mongodb-gridfs) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-mongodb-gridfs) 4.19.0 before 4.21.0

Description:

Improper Input Validation, Improper Access Control vulnerability in Apache 
Camel in Camel Mongodb Gridfs component.

The camel-mongodb-gridfs producer selects the GridFS operation to perform from 
the gridfs.operation Exchange header when the endpoint's operation parameter is 
not set - which is the default. The control-header constants 
(GridFsConstants.GRIDFS_OPERATION, GRIDFS_OBJECT_ID, GRIDFS_METADATA, 
GRIDFS_CHUNKSIZE, GRIDFS_FILE_ID_PRODUCED) were the plain strings 
gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize and 
gridfs.fileid. Because these names do not start with the Camel / camel prefix, 
HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the 
HTTP boundary - let them pass from an inbound HTTP request straight into the 
Exchange. In a route that bridges an HTTP consumer (for example platform-http) 
into a mongodb-gridfs: producer with no explicit operation, any HTTP client 
could therefore set the gridfs.operation header to override the route's 
intended operation - switching, for example, a file upload to remove (deleting 
a file identified by the attacker-supplied gridfs.objectid), listAll 
(enumerating every file in the bucket) or findOne (reading a file) - and supply 
a gridfs.metadata value that is parsed as a MongoDB document, enabling NoSQL 
operator injection. No credentials are required when the bridging consumer is 
unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade 
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. After upgrading, routes that drive GridFS operations or 
metadata via the raw header names must use CamelGridFsOperation / 
CamelGridFsObjectId / CamelGridFsMetadata / CamelGridFsChunkSize / 
CamelGridFsFileId instead of the gridfs.* names. For deployments that cannot 
upgrade immediately, set an explicit operation on the mongodb-gridfs: endpoint 
so the operation is not taken from a header, and strip the gridfs.* headers 
from any untrusted ingress before the producer.

Credit:

Yu Bao from PayPal (finder)
Andrea Cosentino (remediation developer)

References:

https://camel.apache.org/security/CVE-2026-48204.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-48204

Reply via email to