2 matches found
CVE-2026-46453 Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel prefix bypass inbound HTTP header filtering, allowing untrusted clients to override the Elasticsearch query and operation
Improper Input Validation, Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel ElasticSearch Rest Client. The camel-elasticsearch-rest-client component reads several Exchange headers to control its behaviour - SEARCHQUERY an advanced query body, OPERATION which...
CVE-2026-46453
Summary (CVE-2026-46453) : Apache Camel’s camel-elasticsearch-rest-client reads unprefixed HTTP header constants (SEARCH_QUERY, OPERATION, INDEX_NAME, INDEX_SETTINGS, ID). The inbound header filter only blocks headers starting with Camel/camel, so these headers bypass filtering and can be sent by...