CVE-2026-49097: Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache Camel IRC component. The came
Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache Camel IRC component.
The camel-irc producer chooses the destination of an outgoing IRC message from the irc.sendTo Exchange header (the constant IrcConstants.IRC_SEND_TO, value irc.sendTo); when that header is present it overrides the channel list configured on the endpoint, and the message is sent only to the specified destination. This and the component's other control headers (irc.target, irc.messageType, irc.user.*, irc.num, irc.value) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into an irc: producer, any HTTP client could therefore set the irc.sendTo header and redirect a message that the route intended for a configured channel to an arbitrary IRC channel or user - exfiltrating the message content to an attacker-chosen nickname, leaking it into a public channel, or delivering messages that appear to come from the bot. No credentials are required when the bridging consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set IRC headers via the raw header names must use the CamelIrc* names (for example CamelIrcSendTo) instead of the old irc.* values. For deployments that cannot upgrade immediately, strip the irc.* headers from any untrusted ingress before the
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-49097
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-490970.43% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-49097 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- high[NEW] [high] Apache Camel: Multiple vulnerabilitiescert-bund
Recent advisories for Improper Input Validation
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- highCVE-2026-40454: Out-of-bounds Read, Improper Input Validation vulnerability in Apache IoTDB C++ client. Out-of…nvd · 2026-07-10
- unknownCVE-2026-21057: Improper input validation in Samsung Pass prior to version 5.2.10.3 allows local privileged at…nvd · 2026-07-10
- unknownCVE-2026-21053: Improper input validation in Samsung Email prior to version 6.2.13.1 allows local attackers to…nvd · 2026-07-10
- highCVE-2026-15288: The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to…nvd · 2026-07-10
- highCVE-2026-57026: An Improper Validation of Syntactic Correctness of Input vulnerability in the SIP plugin of Ju…nvd · 2026-07-09
- highCVE-2026-57023: An Improper Validation of Specified Quantity in Input vulnerability in the TCP proxy plugin of…nvd · 2026-07-09
More from NVD Recent CVEs
- unknownCVE-2026-57828: The Joomla extension Phoca Downloads is vulnerable to an authenticated arbitrary file upload t…2026-07-11
- unknownCVE-2026-57827: The Joomla extension RSFiles is vulnerable to an unauthenticated arbitrary file upload that al…2026-07-11
- highCVE-2026-1359: The Genolve – AI image AI video generation plugin for WordPress is vulnerable to unauthorized m…2026-07-11
- highCVE-2026-9282: The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up…2026-07-11
- mediumCVE-2026-9017: The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to autho…2026-07-11