Skip to content

Add CVE-2026-46587, CVE-2026-46588 and CVE-2026-49042 advisories#1689

Merged
Croway merged 3 commits into
mainfrom
add-cve-2026-46587-46588-49042
Jul 6, 2026
Merged

Add CVE-2026-46587, CVE-2026-46588 and CVE-2026-49042 advisories#1689
Croway merged 3 commits into
mainfrom
add-cve-2026-46587-46588-49042

Conversation

@Croway

@Croway Croway commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds three new Apache Camel security advisories under content/security/:

  • CVE-2026-46587 (MEDIUM) — camel-couchbase: Non-Camel-prefixed Exchange headers (CCB_KEY, CCB_ID, CCB_TTL, CCB_DDN, CCB_VN) bypass HeaderFilterStrategy allowing operation override from untrusted input. Fix: PR #23228 (main), #23230 (4.18.x), #23231 (4.14.x).
  • CVE-2026-46588 (MEDIUM) — camel-couchdb: Non-Camel-prefixed Exchange headers (CouchDbDatabase, CouchDbSeq, CouchDbId, CouchDbRev, CouchDbMethod) bypass HeaderFilterStrategy allowing operation override from untrusted input. Fix: PR #23228 (main), #23230 (4.18.x), #23231 (4.14.x).
  • CVE-2026-49042 (MEDIUM) — camel-langchain4j-tools/agent/spring-ai-tools: Tool argument headers are not filtered against declared parameters, allowing an LLM to inject arbitrary Exchange headers via tool call arguments. Fix: PR #23535 (main), #23551 (4.18.x). JIRA: CAMEL-23621.

Structure

  • CVE-2026-46587 and CVE-2026-46588 are siblings sharing the same fix PR (#23228), with bidirectional cross-references.
  • CVE-2026-49042 affects components introduced in 4.8.0+; no 4.14.x backport (the component exists but the fix was only backported to 4.18.x).
  • .txt.asc (PGP-clearsigned) files are not included — the Camel security signing key is required.

Notes

  • Advisory date fields are set to 2026-07-03 to match the release date of 4.14.8, 4.18.3 and 4.21.0.
  • All three CVEs credit Yu Bao from PayPal.

@oscerd oscerd left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You need to publish also a txt.asc of the same.

@Croway Croway force-pushed the add-cve-2026-46587-46588-49042 branch from 1ac3781 to 40ead0a Compare July 6, 2026 07:40
@Croway Croway merged commit 2ae854d into main Jul 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants