[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e2ae24fe-2486-faf7-4af5-1f9dd84e3930@apache.org>
Date: Thu, 21 May 2026 10:49:24 +0000
From: Pasquale Congiusti <pcongiusti@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack
Severity: important
Affected versions:
- Apache Camel K (apache/camel-k) 2.0.0 before 2.8.1
- Apache Camel K (apache/camel-k) 2.9.0 before 2.9.2
- Apache Camel K (apache/camel-k) 2.10.0 before 2.10.1
Description:
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.
This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.
Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
Credit:
@j311yl0v3u (2439839508@...com) (finder)
@b0b0haha (603571786@...com) (finder)
References:
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-45760
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
