Skip to content

Add new Camel security advisories (2026-07-03 CVE batch)#1686

Merged
oscerd merged 31 commits into
apache:mainfrom
oscerd:new-camel-cves-to-be-released
Jul 5, 2026
Merged

Add new Camel security advisories (2026-07-03 CVE batch)#1686
oscerd merged 31 commits into
apache:mainfrom
oscerd:new-camel-cves-to-be-released

Conversation

@oscerd

@oscerd oscerd commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds new Apache Camel security advisories under content/security/, prepared for the 2026-07-03 release. Each advisory is a Hugo page (CVE-XXXX.md) plus a PGP-clearsigned copy (CVE-XXXX.txt.asc) signed with the Camel security key (27663406EB6DBAF5291F2615E34E9F3802FF4100, SHA-512). Only content/security/ is touched.

Advisories (29)

CVE-2026-40047, CVE-2026-40859, CVE-2026-42527, CVE-2026-43865, CVE-2026-46453, CVE-2026-46454, CVE-2026-46455, CVE-2026-46456, CVE-2026-46457, CVE-2026-46584, CVE-2026-46585, CVE-2026-46590, CVE-2026-46591, CVE-2026-46592, CVE-2026-46726, CVE-2026-48203, CVE-2026-48204, CVE-2026-48205, CVE-2026-48206, CVE-2026-49086, CVE-2026-49097, CVE-2026-49098, CVE-2026-49099, CVE-2026-49365, CVE-2026-53913, CVE-2026-55993, CVE-2026-55994, CVE-2026-56139, CVE-2026-56140

Notable structure

Several advisories were scoped so each targets a single component, with bidirectional cross-references:

  • camel-vertx-websocketCVE-2026-46726; siblings CVE-2026-55993 (camel-atmosphere-websocket) and CVE-2026-55994 (camel-iggy). Shared fix: CAMEL-23532.
  • camel-netty-httpCVE-2026-49365; sibling CVE-2026-56139 (camel-undertow). Shared fix: CAMEL-23651.
  • camel-aws2-sqsCVE-2026-46456; sibling CVE-2026-56140 (camel-aws2-sns — LOW, defense-in-depth: aws2-sns is producer-only, so no reachable inbound path). Shared fix: CAMEL-23506.

Notes

  • Advisory date fields are set to 2026-07-03, except CVE-2026-42527 which retains its earlier 2026-04-29 date.
  • The security section list is rendered automatically by the Hugo template, so no index/data file changes are needed.

🤖 Generated with Claude Code

oscerd and others added 30 commits July 5, 2026 10:10
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…summaries

Stripped the leading "Apache Camel: " from the summary field of the 23 security advisories added in June 2026, since the prefix is redundant on the Apache Camel security pages. Regenerated and re-signed each matching .txt.asc clearsigned file from the updated .md using the original advisory key (27663406EB6DBAF5291F2615E34E9F3802FF4100, SHA512), so the signed copies stay in sync.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…dvisories

Split the camel-atmosphere-websocket and camel-iggy consumers out of CVE-2026-46726 into their own advisories, since each now has a dedicated CVE id. All three share the same fix (CAMEL-23532, PR apache/camel#23285): inbound external parameters were mapped into the Exchange without a HeaderFilterStrategy, allowing Camel control-header injection (SSRF and secret disclosure when bridged to an HTTP producer). Atmosphere-websocket (from 4.0.0) is fixed in 4.14.8/4.18.3/4.21.0; iggy (introduced in 4.17.0, not on the 4.14.x line) is fixed in 4.18.3/4.21.0. Each advisory has a PGP-clearsigned .txt.asc. Also corrected the iggy scope note in CVE-2026-46726 (affected from 4.17.0, not 4.18.0) and re-signed its .txt.asc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Now that camel-atmosphere-websocket and camel-iggy have dedicated advisories (CVE-2026-55993, CVE-2026-55994), narrow CVE-2026-46726 to camel-vertx-websocket: trim the summary (title) and description to that single component, focus the fix note on VertxWebsocketHeaderFilterStrategy, and replace the per-component scope note with cross-references to the two sibling advisories. The .txt.asc is re-signed. The sibling advisories were reviewed and already single-component with matching cross-references, so they are unchanged.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…(camel-undertow)

CVE-2026-49365 covered both camel-netty-http and camel-undertow; narrow it to camel-netty-http and document the same insecure muteException=false default for camel-undertow in a dedicated CVE-2026-56139, including the undertow-only Rest DSL bug (RestUndertowHttpBinding hard-coded muteException to false). Both share the CAMEL-23651 fix (PR apache/camel#23913) and cross-reference each other. Also corrected the 4.18.x/4.14.x backport commit hashes: the published CVE-2026-49365 cited an unrelated CAMEL-23734 VertxHttpTransferExceptionTest commit; the real backports are fdcf67a00470783ccb93b948883b6a4c5275aff5 (camel-4.18.x) and b1badb58a407e4d16c8b6bba81650d4c68e55eaf (camel-4.14.x). Both .txt.asc regenerated and re-signed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
CAMEL-23506 added an inbound Camel-namespace filter to Sns2HeaderFilterStrategy alongside the camel-aws2-sqs fix. camel-aws2-sns is producer-only (Sns2Endpoint.createConsumer throws UnsupportedOperationException), so there is no reachable inbound header-injection path; document this as a LOW-severity defense-in-depth hardening advisory rather than an exploitable vulnerability, cross-referencing the consumer-side camel-aws2-sqs issue CVE-2026-46456. Shares the same fix (PR apache/camel#23221, main 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e, backports 7b334be0419839097a132d4ff3427fc4083e695e on camel-4.18.x and b7f78292e747a28dbf5da444265557b5f9f3c1a1 on camel-4.14.x). Also add a cross-reference sentence to CVE-2026-46456 pointing at the SNS hardening, and re-sign its .txt.asc. New advisory has a PGP-clearsigned .txt.asc.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…-sign

Bump the date frontmatter of the 28 unreleased June-2026 CVE advisories (previously staggered across 2026-06-09/10/11/18) to the 2026-07-03 release date, and regenerate/re-sign each clearsigned .txt.asc with key 27663406EB6DBAF5291F2615E34E9F3802FF4100 (SHA512) so the signed copies match.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
@oscerd
oscerd merged commit b910753 into apache:main Jul 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant