Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

CVE-2026-46454 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-46454 | CVSS 9.8 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-46454 is a critical improper input validation vulnerability in the Apache Camel Cometd component, affecting the camel-cometd integration within the Apache Camel framework.

Technical Detail

The flaw exists because the camel-cometd component maps inbound Bayeux (CometD) message headers directly into the Camel Exchange object without applying a HeaderFilterStrategy or equivalent input sanitization. An attacker who can send crafted Bayeux protocol messages to an exposed CometD endpoint can inject arbitrary headers into the Camel Exchange, potentially influencing downstream routing logic, bypassing security controls, or achieving remote code execution depending on the components and processors configured in the Camel route. The absence of header filtering creates a broad attack surface in any deployment where the camel-cometd component is exposed to untrusted input.

Exploitation Status

No known exploit code has been publicly identified at this time, and this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. Despite the absence of confirmed exploitation, the critical CVSS score of 9.8 reflects the low attack complexity and potential for unauthenticated remote exploitation, warranting prompt remediation regardless of current exploit availability.

Who Is Targeting This

No specific threat actor attribution at this time. No confirmed or reported threat actor activity has been associated with this vulnerability as of July 13, 2026.

What To Do

Organizations using Apache Camel with the camel-cometd component should treat this as a high-priority patch given the critical severity rating and the unauthenticated remote exploitation potential. Apply the latest patched version of Apache Camel as released by the Apache Software Foundation, and verify that HeaderFilterStrategy is enforced on all CometD-facing routes. As an interim workaround, restrict network access to CometD endpoints to trusted sources only, and audit existing Camel routes that consume camel-cometd for any downstream processors that act on header values. Monitor application logs for unexpected or malformed Bayeux message headers as a detection signal pending patch deployment.

All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →