CVE-2026-55994
Apache Software Foundation · Apache Camel Iggy
The Apache Camel Iggy component is affected by improper input validation, resulting in SSRF and the exposure of sensitive information to unauthorized actors.
Executive summary
A high-severity SSRF vulnerability in Apache Camel Iggy allows unauthenticated attackers to trigger unauthorized requests, potentially exposing sensitive system information.
Vulnerability
This flaw consists of improper input validation (CWE-20) resulting in Server-Side Request Forgery (CWE-918) and information exposure (CWE-200). Unauthenticated attackers can exploit this to force the Iggy component to perform requests on their behalf.
Business impact
A CVSS score of 7.5 indicates a high risk of unauthorized information disclosure. By leveraging the Iggy component's functionality to perform SSRF, an attacker could potentially bridge the gap between public-facing services and internal network resources, leading to data exfiltration or internal service disruption.
Remediation
Immediate Action: Update the Apache Camel Iggy component to version 4.18.3, 4.21.0, or higher to resolve the input validation issue.
Proactive Monitoring: Inspect server logs for anomalous outbound connection attempts and unexpected request parameters directed at the Iggy service endpoint.
Compensating Controls: Apply network-level egress filtering to limit the server's ability to communicate with unauthorized internal services or external malicious domains.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Security teams must prioritize the deployment of the vendor's patch. Given the nature of SSRF, limiting the network exposure of the host running the Iggy component is a critical secondary defense measure while the update is being staged.