Add new Camel security advisories (2026-07-03 CVE batch)#1686
Merged
Conversation
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…summaries Stripped the leading "Apache Camel: " from the summary field of the 23 security advisories added in June 2026, since the prefix is redundant on the Apache Camel security pages. Regenerated and re-signed each matching .txt.asc clearsigned file from the updated .md using the original advisory key (27663406EB6DBAF5291F2615E34E9F3802FF4100, SHA512), so the signed copies stay in sync. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…dvisories Split the camel-atmosphere-websocket and camel-iggy consumers out of CVE-2026-46726 into their own advisories, since each now has a dedicated CVE id. All three share the same fix (CAMEL-23532, PR apache/camel#23285): inbound external parameters were mapped into the Exchange without a HeaderFilterStrategy, allowing Camel control-header injection (SSRF and secret disclosure when bridged to an HTTP producer). Atmosphere-websocket (from 4.0.0) is fixed in 4.14.8/4.18.3/4.21.0; iggy (introduced in 4.17.0, not on the 4.14.x line) is fixed in 4.18.3/4.21.0. Each advisory has a PGP-clearsigned .txt.asc. Also corrected the iggy scope note in CVE-2026-46726 (affected from 4.17.0, not 4.18.0) and re-signed its .txt.asc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
Now that camel-atmosphere-websocket and camel-iggy have dedicated advisories (CVE-2026-55993, CVE-2026-55994), narrow CVE-2026-46726 to camel-vertx-websocket: trim the summary (title) and description to that single component, focus the fix note on VertxWebsocketHeaderFilterStrategy, and replace the per-component scope note with cross-references to the two sibling advisories. The .txt.asc is re-signed. The sibling advisories were reviewed and already single-component with matching cross-references, so they are unchanged. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…(camel-undertow) CVE-2026-49365 covered both camel-netty-http and camel-undertow; narrow it to camel-netty-http and document the same insecure muteException=false default for camel-undertow in a dedicated CVE-2026-56139, including the undertow-only Rest DSL bug (RestUndertowHttpBinding hard-coded muteException to false). Both share the CAMEL-23651 fix (PR apache/camel#23913) and cross-reference each other. Also corrected the 4.18.x/4.14.x backport commit hashes: the published CVE-2026-49365 cited an unrelated CAMEL-23734 VertxHttpTransferExceptionTest commit; the real backports are fdcf67a00470783ccb93b948883b6a4c5275aff5 (camel-4.18.x) and b1badb58a407e4d16c8b6bba81650d4c68e55eaf (camel-4.14.x). Both .txt.asc regenerated and re-signed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
CAMEL-23506 added an inbound Camel-namespace filter to Sns2HeaderFilterStrategy alongside the camel-aws2-sqs fix. camel-aws2-sns is producer-only (Sns2Endpoint.createConsumer throws UnsupportedOperationException), so there is no reachable inbound header-injection path; document this as a LOW-severity defense-in-depth hardening advisory rather than an exploitable vulnerability, cross-referencing the consumer-side camel-aws2-sqs issue CVE-2026-46456. Shares the same fix (PR apache/camel#23221, main 5f57258fb33d33ef99df10594f8fe9f11d7c2b7e, backports 7b334be0419839097a132d4ff3427fc4083e695e on camel-4.18.x and b7f78292e747a28dbf5da444265557b5f9f3c1a1 on camel-4.14.x). Also add a cross-reference sentence to CVE-2026-46456 pointing at the SNS hardening, and re-sign its .txt.asc. New advisory has a PGP-clearsigned .txt.asc. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
…-sign Bump the date frontmatter of the 28 unreleased June-2026 CVE advisories (previously staggered across 2026-06-09/10/11/18) to the 2026-07-03 release date, and regenerate/re-sign each clearsigned .txt.asc with key 27663406EB6DBAF5291F2615E34E9F3802FF4100 (SHA512) so the signed copies match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Andrea Cosentino <ancosen@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds new Apache Camel security advisories under
content/security/, prepared for the 2026-07-03 release. Each advisory is a Hugo page (CVE-XXXX.md) plus a PGP-clearsigned copy (CVE-XXXX.txt.asc) signed with the Camel security key (27663406EB6DBAF5291F2615E34E9F3802FF4100, SHA-512). Onlycontent/security/is touched.Advisories (29)
CVE-2026-40047, CVE-2026-40859, CVE-2026-42527, CVE-2026-43865, CVE-2026-46453, CVE-2026-46454, CVE-2026-46455, CVE-2026-46456, CVE-2026-46457, CVE-2026-46584, CVE-2026-46585, CVE-2026-46590, CVE-2026-46591, CVE-2026-46592, CVE-2026-46726, CVE-2026-48203, CVE-2026-48204, CVE-2026-48205, CVE-2026-48206, CVE-2026-49086, CVE-2026-49097, CVE-2026-49098, CVE-2026-49099, CVE-2026-49365, CVE-2026-53913, CVE-2026-55993, CVE-2026-55994, CVE-2026-56139, CVE-2026-56140
Notable structure
Several advisories were scoped so each targets a single component, with bidirectional cross-references:
CVE-2026-46726; siblingsCVE-2026-55993(camel-atmosphere-websocket) andCVE-2026-55994(camel-iggy). Shared fix: CAMEL-23532.CVE-2026-49365; siblingCVE-2026-56139(camel-undertow). Shared fix: CAMEL-23651.CVE-2026-46456; siblingCVE-2026-56140(camel-aws2-sns —LOW, defense-in-depth: aws2-sns is producer-only, so no reachable inbound path). Shared fix: CAMEL-23506.Notes
datefields are set to2026-07-03, exceptCVE-2026-42527which retains its earlier2026-04-29date.🤖 Generated with Claude Code