CVE-2026-55994

Apache Software Foundation · Apache Camel Iggy

The Apache Camel Iggy component is affected by improper input validation, resulting in SSRF and the exposure of sensitive information to unauthorized actors.

Executive summary

A high-severity SSRF vulnerability in Apache Camel Iggy allows unauthenticated attackers to trigger unauthorized requests, potentially exposing sensitive system information.

Vulnerability

This flaw consists of improper input validation (CWE-20) resulting in Server-Side Request Forgery (CWE-918) and information exposure (CWE-200). Unauthenticated attackers can exploit this to force the Iggy component to perform requests on their behalf.

Business impact

A CVSS score of 7.5 indicates a high risk of unauthorized information disclosure. By leveraging the Iggy component's functionality to perform SSRF, an attacker could potentially bridge the gap between public-facing services and internal network resources, leading to data exfiltration or internal service disruption.

Remediation

Immediate Action: Update the Apache Camel Iggy component to version 4.18.3, 4.21.0, or higher to resolve the input validation issue.

Proactive Monitoring: Inspect server logs for anomalous outbound connection attempts and unexpected request parameters directed at the Iggy service endpoint.

Compensating Controls: Apply network-level egress filtering to limit the server's ability to communicate with unauthorized internal services or external malicious domains.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Security teams must prioritize the deployment of the vendor's patch. Given the nature of SSRF, limiting the network exposure of the host running the Iggy component is a critical secondary defense measure while the update is being staged.