Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-lucene) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-lucene) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-lucene) 4.19.0 before 4.21.0

Description:

Improper Input Validation, Authorization Bypass Through User-Controlled Key 
vulnerability in Apache Camel Lucene Component.

The camel-lucene producer reads the search phrase from an Exchange header 
(LuceneConstants.HEADER_QUERY) whose value was the plain string QUERY (and 
RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not 
start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks 
only the Camel header namespace on the HTTP boundary - let them pass from an 
inbound HTTP request straight into the Exchange. In a route that exposes a 
Lucene query operation behind an HTTP consumer (for example platform-http), any 
HTTP client could therefore set the QUERY header and have its value executed 
against the full-text index, overriding the query the route intended to run. 
Depending on what is indexed, this allows reading documents the request should 
not have access to (for example a match-all query returns the entire index, or 
the route's intended per-user filter can be replaced), and expensive 
regular-expression queries can consume significant CPU. No credentials are 
required when the HTTP consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade 
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. After upgrading, routes that set the query via the raw 
header name must use CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead 
of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot upgrade immediately, 
strip the attacker-controllable headers before the Lucene producer and set the 
query from a trusted source (for example removeHeader('QUERY') and 
removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY', constant(...)) at 
the start of the route).

Credit:

Yu Bao from Paypal (finder)
Andrea Cosentino (remediation developer)

References:

https://camel.apache.org/security/CVE-2026-46585.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46585

Reply via email to