oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

From: Pasquale Congiusti <pcongiusti () apache org>
Date: Thu, 21 May 2026 10:49:24 +0000
Severity: important 

Affected versions:

- Apache Camel K (apache/camel-k) 2.0.0 before 2.8.1
- Apache Camel K (apache/camel-k) 2.9.0 before 2.9.2
- Apache Camel K (apache/camel-k) 2.10.0 before 2.10.1

Description:

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) 
vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling 
the Pod generation in a namespace of their choice, including the operator namespace.

This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Credit:

@j311yl0v3u (2439839508 () qq com) (finder)
@b0b0haha (603571786 () qq com) (finder)

References:

https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-45760
Previous By Date Next
Previous By Thread Next

Current thread: