High
CVE-2026-45760
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can c…
Tag: Apache Camel
All CVEs associated with "Apache Camel". Page 1/1 • 41 CVEs.
About “Apache Camel”
A curated feed of “Apache Camel”-related CVEs appears below. We currently track 41 CVEs for this tag (all time). In the last 365 days, 14 were published. Average CVSS is 8.0 (all time; 8.8 over 365d), and 76% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-502 - Deserialization of Untrusted Data, CWE-178 - Improper Handling of Case Sensitivity, CWE-610 - Externally Controlled Reference to a Resource in Another Sphere.
In our taxonomy this topic maps to a LOW impact class. Integration platforms and ESBs bridge systems. Patch runtimes and connectors, restrict admin consoles, validate signer keys, and monitor flows. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: apache-camel
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 4.20 | 4.20.0 | - | ||
| 4.19 | 4.19.0 | Expired | ||
| 4.18 | 4.18.2 | LTS | ||
| 4.17 | 4.17.0 | Expired | ||
| 4.16 | 4.16.0 | Expired | ||
| 4.15 | 4.15.0 | Expired | ||
| 4.14 | 4.14.7 | Soon | LTS | |
| 4.13 | 4.13.0 | Expired | ||
| 4.12 | 4.12.0 | Expired | ||
| 4.11 | 4.11.0 | Expired | ||
| 4.10 | 4.10.9 | Expired | LTS | |
| 4.9 | 4.9.0 | Expired | ||
| 4.8 | 4.8.9 | Expired | LTS | |
| 4.7 | 4.7.0 | Expired | ||
| 4.6 | 4.6.0 | Expired | ||
| 4.5 | 4.5.0 | Expired | ||
| 4.4 | 4.4.5 | Expired | LTS | |
| 3.22 | 3.22.4 | Expired | LTS | |
| 4.3 | 4.3.0 | Expired | ||
| 4.2 | 4.2.0 | Expired | ||
| 4.1 | 4.1.0 | Expired | ||
| 4.0 | 4.0.6 | Expired | LTS | |
| 3.21 | 3.21.5 | Expired | LTS | |
| 3.20 | 3.20.9 | Expired | LTS | |
| 3.19 | 3.19.0 | Expired | ||
| 3.18 | 3.18.8 | Expired | LTS | |
| 3.17 | 3.17.0 | Expired | ||
| 3.16 | 3.16.0 | Expired | ||
| 3.15 | 3.15.0 | Expired | ||
| 3.14 | 3.14.10 | Expired | LTS | |
| 3.13 | 3.13.0 | Expired | ||
| 3.12 | 3.12.0 | Expired | ||
| 3.11 | 3.11.7 | Expired | LTS | |
| 3.10 | 3.10.0 | Expired | ||
| 3.9 | 3.9.0 | Expired | ||
| 3.8 | 3.8.0 | Expired | ||
| 3.7 | 3.7.7 | Expired | LTS | |
| 3.6 | 3.6.0 | Expired | ||
| 3.5 | 3.5.0 | Expired | ||
| 3.4 | 3.4.6 | Expired | LTS | |
| 3.3 | 3.3.0 | Expired | ||
| 3.2 | 3.2.0 | Expired | ||
| 3.1 | 3.1.0 | Expired | ||
| 2.25 | 2.25.4 | Expired | LTS | |
| 3.0 | 3.0.1 | Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Apache Camel” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2026-05-21
2026-05-19
Critical
CVE-2026-47323
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFil…
2026-04-27
Critical
CVE-2026-33453
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message…
High
CVE-2026-27172
The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Con…
High
CVE-2026-40858
The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInput…
High
CVE-2026-40022
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via c…
Critical
CVE-2026-33454
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOu…
Critical
CVE-2026-40860
JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject()…
High
CVE-2026-40473
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions.…
Critical
CVE-2026-40453
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExec…
High
CVE-2026-40048
The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilte…
2026-02-23
High
CVE-2026-25747
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository usi…
Critical
CVE-2026-23552
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens again…
2026-01-14
Medium
CVE-2025-66169
Cypher Injection vulnerability in Apache Camel camel-neo4j component. This issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.3, from 4.15.0 before 4.17.0 Users are reco…
2025-04-01
Medium
CVE-2025-30177
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users ar…
2025-03-12
Medium
CVE-2025-29891
Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to v…
2025-03-09
Medium
CVE-2025-27636
Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 throug…
2024-02-26
Low
CVE-2024-22371
Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Cam…
2024-02-20
Critical
CVE-2024-23114
Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to…
High
CVE-2024-22369
Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0…
2023-07-10
Low
CVE-2023-34442
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Camel.This issue affects Apache Camel: from 3.X through <=3.14.8, from 3.18.X through <=3…
2020-05-14
Critical
CVE-2020-11973
Apache Camel Netty enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrade t…
Critical
CVE-2020-11972
Apache Camel RabbitMQ enables Java deserialization by default. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 are affected. 2.x users should upgrade to 2.25.1, 3.x users should upgrad…
High
CVE-2020-11971
Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0.
2019-05-28
High
CVE-2019-0188
Apache Camel prior to 2.24.0 contains an XML external entity injection (XXE) vulnerability (CWE-611) due to using an outdated vulnerable JSON-lib library. This affects only the camel-xmljson componen…
2019-04-30
High
CVE-2019-0194
Apache Camel's File is vulnerable to directory traversal. Camel 2.21.0 to 2.21.3, 2.22.0 to 2.22.2, 2.23.0 and the unsupported Camel 2.x (2.19 and earlier) versions may be also affected.
2018-09-17
Medium
CVE-2018-8041
Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.
2018-07-31
Critical
CVE-2018-8027
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
2017-11-15
Critical
CVE-2017-12634
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security f…
Critical
CVE-2017-12633
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security…
2017-03-28
Critical
CVE-2016-8749
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.
2017-03-16
High
CVE-2017-5643
Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.
2017-03-07
Critical
CVE-2017-3159
Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.
2016-04-15
High
CVE-2015-5348
Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel routes, allow remote attackers to execute arb…
2016-02-03
Critical
CVE-2015-5344
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialized Java object in an HTTP request.
2015-06-03
Medium
CVE-2015-0264
Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attackers to read arbitrary files via an extern…
Medium
CVE-2015-0263
XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allows remote attackers to read arbitrary…
2014-03-21
High
CVE-2014-0003
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java methods via a crafted message.
High
CVE-2014-0002
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary files and possibly have other unspecified impact via an XML document containing an…
2013-10-04
Medium
CVE-2013-4330
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple{}" in a CamelFileName…
2010-08-19
Critical
CVE-2010-2076
Apache CXF 2.0.x before 2.0.13, 2.1.x before 2.1.10, and 2.2.x before 2.2.9, as used in Apache ServiceMix, Apache Camel, Apache Chemistry, Apache jUDDI, Apache Geronimo, and other products, does not…