Apache Camel K Authorization Bypass Enables Cross-Namespace Build Attacks
Apache disclosed CVE-2026-45760, an important-severity vulnerability in Apache Camel K that allows an authenticated user in one Kubernetes namespace to create a malicious Build resource that influences pod generation in another namespace. The flaw stems from an authorization bypass tied to a user-controlled key and an externally controlled reference to a resource in another sphere, enabling a cross-namespace Build Deputy attack that can reach even the operator namespace and weaken namespace isolation in multi-tenant clusters.
The issue affects Apache Camel K versions 2.0.0 through before 2.8.1, 2.9.0 through before 2.9.2, and 2.10.0 through before 2.10.1. Apache released fixes in 2.8.1, 2.9.2, and 2.10.1, and urged administrators to upgrade immediately because successful exploitation could open a path to broader Kubernetes cluster compromise. The vulnerability was reported by @j311yl0v3u and @b0b0haha.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Apache releases patched Camel K versions for CVE-2026-45760
Apache released Camel K versions 2.8.1, 2.9.2, and 2.10.1 to fix CVE-2026-45760. The vulnerability affects versions 2.0.0 through before 2.8.1, 2.9.0 through before 2.9.2, and 2.10.0 through before 2.10.1, and administrators were advised to upgrade.
Apache discloses CVE-2026-45760 in Apache Camel K
Apache disclosed CVE-2026-45760, an important-severity authorization bypass and cross-namespace build deputy flaw in Apache Camel K. The issue allows an authenticated user in one Kubernetes namespace to create a malicious Build resource that can influence pod generation in another namespace, including the operator namespace.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Camel Camel-PQC Unsafe Deserialization Enables Code Execution
Apache disclosed **CVE-2026-40048**, an unsafe deserialization flaw in the Camel-PQC component of Apache Camel that can lead to arbitrary code execution. The vulnerability is in `FileBasedKeyLifecycleManager`, which deserializes `<keyId>.key` files with `java.io.ObjectInputStream` without `ObjectInputFilter` or class-loading restrictions, allowing malicious `readObject()` behavior to run before the data is cast to `java.security.KeyPair`. An attacker who can place a crafted file in the configured key directory—through path traversal, weak filesystem permissions, a compromised key provisioning pipeline, or a symlink attack—could execute code in the context of the Camel application. The issue affects `org.apache.camel:camel-pqc` versions **4.19.0 before 4.20.0** and **4.18.0 before 4.18.2**. Apache fixed the flaw by replacing `ObjectInputStream`-based key and metadata storage with **PKCS#8** and **X.509 SubjectPublicKeyInfo** Base64 JSON encoding, and advised users to upgrade to **4.20.0** or **4.18.2** on the 4.18.x LTS line. Apache credited Andrea Cosentino of the Apache Software Foundation and Venkatraman Kumar of Securin with discovering the vulnerability.
May 25, 2026
Apache Camel Deserialization Flaws Expose JMS, Mina, and Infinispan Deployments to RCE
Apache disclosed three unsafe deserialization vulnerabilities in **Apache Camel** that can lead to remote code execution in deployments using `camel-mina`, JMS-related components, and `camel-infinispan`. **CVE-2026-40473** affects `camel-mina`, where `MinaConverter.toObjectInput()` wraps network-supplied TCP or UDP data in `java.io.ObjectInputStream` without `ObjectInputFilter` or class-loading restrictions; a crafted serialized Java object can execute during `readObject()`. **CVE-2026-40860** affects `camel-jms`, `camel-sjms`, `camel-sjms2`, and `camel-amqp`, where Camel deserializes JMS `ObjectMessage` payloads through `ObjectMessage.getObject()` with the default `mapJmsMessage` option enabled and without filtering or allow/deny lists, allowing an attacker who can publish to a consumed queue or topic to trigger code execution if a gadget chain is present. Apache also disclosed **CVE-2026-40858** in `camel-infinispan`, where the ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using `java.io.ObjectInputStream` without an input filter; an attacker able to write to the cache can inject a malicious serialized object that executes during normal `get` or `recover` operations. The affected versions span multiple Camel release lines, including `3.0.0` and later for the JMS issue, `3.0.0` and later for `camel-mina`, and `4.0.0` and later for `camel-infinispan`, with fixes released in **4.20.0** and backported to supported streams including **4.14.6/4.14.7** and **4.18.2**. Apache tracks the flaws as `CAMEL-23319`, `CAMEL-23321`, and `CAMEL-23322`, with reports credited to researchers from **Securin** and **Innora Pte. Ltd.**
Apr 27, 2026
Apache Camel flaws expose mail, CoAP, JMS, and HTTP routes to RCE and auth bypass
Apache disclosed four vulnerabilities in **Apache Camel** affecting message handling and request protection across multiple components. The most severe issues, **`CVE-2026-33453`** and **`CVE-2026-33454`**, allow attackers to inject Camel internal headers through untrusted inputs that are copied into the Exchange without proper inbound filtering. In `camel-coap`, a single unauthenticated UDP packet can place arbitrary query parameters into Exchange headers, enabling pre-authentication remote code execution when routes forward data to header-sensitive components such as `camel-exec`, `camel-sql`, `camel-bean`, `camel-file`, or template processors. In `camel-mail`, emails received over IMAP or POP3 can carry crafted MIME headers with the `Camel` prefix that reach downstream components and similarly influence execution, making remote code execution possible in vulnerable deployments.
Apr 27, 2026