From c3336e41d236f9cc5973c15b24865abe76142679 Mon Sep 17 00:00:00 2001 From: Andrea Cosentino Date: Fri, 10 Jul 2026 10:17:07 +0200 Subject: [PATCH] [GHSA-hh8r-75r6-qrg9] Improper Input Validation vulnerability in Apache Camel. Signed-off-by: Andrea Cosentino --- .../GHSA-hh8r-75r6-qrg9.json | 124 +++++++++++++++++- 1 file changed, 122 insertions(+), 2 deletions(-) diff --git a/advisories/unreviewed/2026/07/GHSA-hh8r-75r6-qrg9/GHSA-hh8r-75r6-qrg9.json b/advisories/unreviewed/2026/07/GHSA-hh8r-75r6-qrg9/GHSA-hh8r-75r6-qrg9.json index b4e5fdd35ea12..a506121a5f9bf 100644 --- a/advisories/unreviewed/2026/07/GHSA-hh8r-75r6-qrg9/GHSA-hh8r-75r6-qrg9.json +++ b/advisories/unreviewed/2026/07/GHSA-hh8r-75r6-qrg9/GHSA-hh8r-75r6-qrg9.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-hh8r-75r6-qrg9", - "modified": "2026-07-07T00:30:58Z", + "modified": "2026-07-10T07:58:22Z", "published": "2026-07-06T12:31:30Z", "aliases": [ "CVE-2026-49042" ], + "summary": "Camel-Langchain4j-Tools: Tool argument headers are not filtered against declared parameters, allowing an LLM to inject arbitrary Exchange headers via tool call arguments", "details": "Improper Input Validation vulnerability in Apache Camel.\n\nThis issue affects Apache Camel: from 4.8.0 through 4.18.2, from 4.19.0 through 4.20.0.\n\nUsers are recommended to upgrade to version 4.18.3, 4.21.0, which fixes the issue.", "severity": [ { @@ -13,7 +14,122 @@ "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-langchain4j-tools" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.8.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-langchain4j-tools" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.19.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-langchain4j-agent" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.8.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-langchain4j-agent" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.19.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-spring-ai-tools" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.8.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.18.3" + } + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.camel:camel-spring-ai-tools" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.19.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "< 4.21.0" + } + } + ], "references": [ { "type": "ADVISORY", @@ -26,6 +142,10 @@ { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2026/07/06/17" + }, + { + "type": "PACKAGE", + "url": "https://github.com/apache/camel/tree/main/components/camel-ai/camel-langchain4j-tools" } ], "database_specific": {