CVE-2026-48203

Apache Software Foundation · Apache Camel

The Apache Camel Solr component is vulnerable to SSRF and parameter injection due to improper header validation, allowing unauthenticated attackers to manipulate requests via crafted HTTP headers.

Executive summary

An unauthenticated remote attacker can exploit an SSRF and parameter injection vulnerability in Apache Camel, potentially leading to unauthorized internal network access and data manipulation.

Vulnerability

This vulnerability involves improper neutralization of input in the Solr component, where specific message headers are not correctly filtered. Unauthenticated attackers can inject arbitrary Solr parameters—such as 'shards' or 'stream.url'—to perform SSRF or inject malicious fields into indexed documents.

Business impact

The ability for an unauthenticated user to perform server-side requests poses a significant risk to internal infrastructure, as attackers can bypass perimeter defenses to interact with internal services or cloud metadata endpoints. With a CVSS score of 9.1, this critical vulnerability could lead to total compromise of data integrity and unauthorized information disclosure, directly impacting system confidentiality and operational security.

Remediation

Immediate Action: Upgrade to Apache Camel version 4.21.0, or the version 4.14.8 or 4.18.3 LTS releases as applicable to your environment.

Proactive Monitoring: Review ingress traffic logs for suspicious HTTP headers containing 'SolrParam.' or 'SolrField.' prefixes, which indicate attempts to leverage this injection path.

Compensating Controls: If patching is delayed, implement a WAF or ingress filter to strip 'SolrParam.' and 'SolrField.' headers from untrusted external requests before they reach the Camel route.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the critical severity and the ease of exploitation via unauthenticated network requests, organizations should prioritize patching as an urgent task. Ensure that post-patching, all routes are updated to utilize the new 'CamelSolrParam.' and 'CamelSolrField.' prefixes to maintain secure communication with Solr instances.