oss-sec mailing list archives
CVE-2026-46585: Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query
From: Andrea Cosentino <acosentino () apache org>
Date: Sun, 05 Jul 2026 11:59:26 +0000
Severity: moderate
Affected versions:
- Apache Camel (org.apache.camel:camel-lucene) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-lucene) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-lucene) 4.19.0 before 4.21.0
Description:
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Lucene
Component.
The camel-lucene producer reads the search phrase from an Exchange header (LuceneConstants.HEADER_QUERY) whose value
was the plain string QUERY (and RETURN_LUCENE_DOCS for HEADER_RETURN_LUCENE_DOCS). Because these names do not start
with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP
boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that exposes a Lucene
query operation behind an HTTP consumer (for example platform-http), any HTTP client could therefore set the QUERY
header and have its value executed against the full-text index, overriding the query the route intended to run.
Depending on what is indexed, this allows reading documents the request should not have access to (for example a
match-all query returns the entire index, or the route's intended per-user filter can be replaced), and expensive
regular-expression queries can consume significant CPU. No credentials are required when the HTTP consumer is
unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases
stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are
suggested to upgrade to 4.18.3. After upgrading, routes that set the query via the raw header name must use
CamelLuceneQuery (and CamelLuceneReturnLuceneDocs) instead of QUERY / RETURN_LUCENE_DOCS. For deployments that cannot
upgrade immediately, strip the attacker-controllable headers before the Lucene producer and set the query from a
trusted source (for example removeHeader('QUERY') and removeHeader('RETURN_LUCENE_DOCS'), then setHeader('QUERY',
constant(...)) at the start of the route).
Credit:
Yu Bao from Paypal (finder)
Andrea Cosentino (remediation developer)
References:
https://camel.apache.org/security/CVE-2026-46585.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46585
Current thread:
- CVE-2026-46585: Apache Camel: Camel-Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETURN_LUCENE_DOCS) that bypass the HTTP header filter, allowing an HTTP client to inject the full-text search query Andrea Cosentino (Jul 05)
