External risk intelligence

Apache Camel Solr SSRF and Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-48203

The vulnerability exists in Apache Camel routes that bridge inbound HTTP consumers to Solr producers. Because such integration patterns are commonly used to create public-facing web applications, APIs, or data ingestion gateways that process external HTTP requests, the attack surface is frequently exposed to the internet in real-world deployment scenarios.

Server-Side Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in Apache Camel's Solr component allows attackers to manipulate Solr requests, potentially leading to unauthorized access to internal systems or data modification. This issue arises when the component improperly handles headers from incoming HTTP requests, forwarding them to the Solr server. The main concern is confirming relevance and exposure within our deployed Apache Camel integrations.

  • Special characters in data can alter system requests.
  • It allows unauthorized access to internal services.
  • Confirm if our integrations use this component.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by sending specially crafted HTTP requests to an Apache Camel application that connects to Apache Solr. If the Camel route is configured to accept unauthenticated HTTP requests and bridge them to a Solr producer, the attacker can inject malicious parameters into the Solr request. This can lead to the Solr server making requests to arbitrary URLs chosen by the attacker, potentially accessing internal services or cloud metadata. Additionally, attackers can inject arbitrary fields into indexed documents.

  • Unauthenticated HTTP access required.
  • Injecting Solr parameters via HTTP headers.
  • Server-side request forgery, data injection.

Live Threat

Current exploitation, exposure, and threat context

When Apache Camel's Solr component improperly handles message headers, an attacker could inject arbitrary Solr request parameters or fields. This could lead to server-side request forgery, allowing requests to be made to an attacker-chosen URL, or the injection of unauthorized fields into indexed Solr documents, when supported by an unauthenticated HTTP bridging consumer.

  • Solr request parameters and document fields.
  • Injected via HTTP headers in bridging routes.
  • Server-side requests or data tampering.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability likely impacts platform or integration teams responsible for Apache Camel routes that process inbound HTTP requests and forward them to Solr. The immediate first step is to inventory all Camel applications using the Solr component, determine their exposure, and identify the specific routes that bridge HTTP consumers to Solr producers. Once identified, assess the criticality of these routes and their associated Solr instances, then confirm the accountable application or system owner to plan remediation.

  • Platform or Integration Teams own the issue.
  • Verify Solr integration routes and exposure.
  • Plan remediation and coordinate with Solr administrators.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Apache Camel and the Solr component?

Apache Camel is an integration framework used to connect various systems by routing data between them. The Solr component is a specific part of Camel that allows applications to communicate with Apache Solr, a search platform used for indexing and querying large volumes of data. It acts as a bridge, enabling developers to easily send documents to Solr for indexing or execute search queries directly from their integration routes.

How does CVE-2026-48203 enable SSRF and injection?

This vulnerability involves improper input validation where Camel headers prefixed with 'SolrParam.' or 'SolrField.' are automatically passed through to Solr requests. This weakness, categorized as Injection (CWE-74) and Server-Side Request Forgery (CWE-918), allows an attacker to manipulate the underlying Solr request. By crafting headers, they can force the Solr server to connect to unintended external URLs or insert unauthorized data fields into indexed documents.

Do I need an authenticated connection to trigger this bug?

No. The vulnerability is triggered when a Camel route bridges an unauthenticated HTTP consumer directly to a Solr producer. Because the system does not verify the incoming headers, it blindly accepts attacker-provided parameters. If your Camel route is configured to perform authentication at the HTTP ingress point, that does not inherently block this specific header-based injection, as the flaw resides in how the data is handled within the route itself.

How do I know if my system is at risk?

Halo Surface Signal indicates that applications bridging public-facing HTTP requests to internal Solr producers are at the highest risk. If your integration acts as a gateway for external data or web traffic, it likely falls into the category of exposed infrastructure. You should audit your Camel routes to determine if they receive raw HTTP input and forward it to Solr, as this pattern is a primary indicator that the application is reachable by potential attackers.

What is the recommended response to CVE-2026-48203?

The primary fix is to upgrade to the patched Apache Camel versions (4.14.8, 4.18.3, or 4.21.0). After updating, you must update your routes to use the new 'CamelSolrParam.' and 'CamelSolrField.' prefixes. For immediate mitigation if you cannot upgrade, you should implement a filter to strip any incoming 'SolrParam.' or 'SolrField.' headers from untrusted HTTP requests before they reach the Solr producer component.

References