CVE-2026-48205 in Camel
Summary
by MITRE • 07/06/2026
Improper Input Validation, Server-Side Request Forgery (SSRF) vulnerability in Apache Camel DNS component.
The camel-dns producers read DNS operation parameters - the resolver to query, the name or domain to look up, the record type and class, and the search term - from Exchange message headers whose constant values (DnsConstants.DNS_SERVER, DNS_NAME, DNS_DOMAIN, DNS_TYPE, DNS_CLASS, TERM) were the plain strings dns.server, dns.name, dns.domain, dns.type, dns.class and term. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a dns: producer, any HTTP client could therefore set the dns.server header to make the dig producer build a SimpleResolver pointing at an attacker-controlled DNS server - a server-side request forgery via DNS, through which the attacker observes the queried name and can return poisoned responses - and set the dns.name / dns.domain headers to resolve arbitrary internal hostnames, disclosing whether they exist (internal network reconnaissance). No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that drive DNS operations via the raw header names must use CamelDnsServer / CamelDnsName / CamelDnsDomain / CamelDnsType / CamelDnsClass / CamelDnsTerm instead of the dns.* / term names. For deployments that cannot upgrade immediately, strip the dns.* and term headers from any untrusted ingress before the dns: producer, and set the DNS server and lookup parameters from a trusted source in the route.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/06/2026
The vulnerability under discussion represents a critical security flaw within Apache Camel's DNS component that enables server-side request forgery through improper input validation mechanisms. This issue stems from the inadequate filtering of message headers during HTTP ingress processing, creating an attack vector where malicious actors can manipulate DNS resolution parameters directly through inbound HTTP requests. The flaw specifically affects the camel-dns producers which extract DNS operation parameters from Exchange message headers using constant values that lack the required Camel prefix designation.
The technical implementation of this vulnerability exploits the HttpHeaderFilterStrategy's behavior which only blocks headers within the Camel namespace while allowing plain string headers to pass through unchecked. When an HTTP consumer such as platform-http bridges into a dns: producer, any external client can set the dns.server header to redirect DNS queries toward attacker-controlled servers. This configuration enables the construction of SimpleResolver instances pointing to malicious DNS infrastructure, thereby facilitating both network reconnaissance and potential data poisoning attacks. The vulnerability operates at the intersection of improper input validation and server-side request forgery as classified by CWE-20 and CWE-918 respectively.
The operational impact of this vulnerability extends beyond simple information disclosure to encompass comprehensive internal network reconnaissance capabilities. Attackers can leverage the dns.name and dns.domain headers to query arbitrary internal hostnames, effectively mapping internal network topology without requiring authentication credentials when the bridging consumer remains unauthenticated. This reconnaissance capability provides attackers with valuable intelligence about internal services and infrastructure that would otherwise remain hidden from external observation. The vulnerability's severity is amplified by its ability to operate without authentication requirements, making it particularly dangerous in environments where untrusted parties have access to HTTP endpoints.
The mitigation strategy involves upgrading to specific patched versions of Apache Camel where the issue has been resolved through proper header filtering mechanisms. Version 4.21.0 serves as the primary fix for all affected release streams, with targeted patches available for LTS releases including 4.14.8 and 4.18.3. The recommended approach after upgrading requires route modifications to utilize Camel-prefixed header names instead of the vulnerable dns. and term variants. Organizations unable to perform immediate upgrades should implement header stripping mechanisms at ingress points to remove potentially malicious dns. and term headers before they reach the DNS producer components.
This vulnerability demonstrates the critical importance of proper input validation and secure header filtering in enterprise integration frameworks where HTTP boundaries intersect with internal service operations. The flaw highlights how seemingly innocuous configuration parameters can enable sophisticated attack patterns when combined with inadequate security controls at integration points. From an ATT&CK perspective, this issue maps to techniques involving server-side request forgery and reconnaissance activities that leverage common integration framework components to gain unauthorized access to internal network resources.