Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-49042— Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters

AI Predicted 5.5 Difficulty: Moderate EPSS 0.40% · P32

Possible ATT&CK Techniques 1AI

T1190 · Exploit Public-Facing Application

Affected Version Matrix 2

VendorProductVersion RangeStatus
Apache Software FoundationApache Camel4.8.0≤ 4.18.2affected
4.19.0≤ 4.20.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-49042

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache Camel: langchain4j-tools: filter tool argument headers against declared parameters
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Input Validation vulnerability in Apache Camel. This issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0. Users are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
输入验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Apache Camel 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Apache camel是美国Apache基金会开源的一个企业集成模式框架。 Apache Camel 4.8.0至4.18.2版本和4.19.0至4.20.0版本存在输入验证错误漏洞,该漏洞源于输入验证不当,可能导致网络攻击者低复杂度攻击,造成机密性、完整性和可用性低影响。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Camel 4.8.0 ~ 4.18.2 -

II. Public POCs for CVE-2026-49042

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-49042

登录查看更多情报信息。

Vendor Advisories for CVE-2026-49042 (1)

Same Patch Batch · Apache Software Foundation · 2026-07-06 · 39 CVEs total

CVE-2026-46457Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange withou
CVE-2026-48205Apache Camel DNS: The dns.* and term Exchange header constants used non-Camel-prefixed nam
CVE-2026-48204Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed n
CVE-2026-48203Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-
CVE-2026-46726Apache Camel Vertx Websocket: The inbound consumer maps externally-supplied WebSocket quer
CVE-2026-46592Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed name
CVE-2026-46591Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header a
CVE-2026-46590Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle manager
CVE-2026-46585Apache Camel Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETUR
CVE-2026-46584Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail
CVE-2026-48206Apache Camel JIRA: A set of non-Camel-prefixed Exchange header constants bypass the HTTP h
CVE-2026-46456Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange with
CVE-2026-46455Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the
CVE-2026-46454Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange wi
CVE-2026-46453Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel
CVE-2026-43865Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed H
CVE-2026-42527Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables
CVE-2026-40859Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a
CVE-2026-40047Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argum
CVE-2026-56139Apache Camel Undertow: The muteException consumer option defaulted to false, so a processi

Showing top 20 of 39 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-49042

No comments yet


Leave a comment