Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Description

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.

This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Basic Information

ID CVE-2026-45760

Source apache

Published May 21, 2026 at 11:43

Modified May 23, 2026 at 02:17

Affected Product

Vendor Apache Software Foundation

Product Apache Camel K

Version 2.0.0

Affected Versions Apache Software Foundation Apache Camel K 2.0.0
Apache Software Foundation Apache Camel K 2.9.0
Apache Software Foundation Apache Camel K 2.10.0

CWE Classification

CWE-610 CWE-639

References

camel.apache.org /security/CVE-2026-45760.html

{
    "lastseen": "",
    "description": "(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.\n\nThis issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.\n\nUsers are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.",
    "published": "2026-05-21T11:43:44.844Z",
    "modified": "2026-05-23T02:17:48.106Z",
    "type": "cve",
    "title": "Apache Camel K: Camel K Cross-Namespace Build Deputy Attack",
    "source": "apache",
    "references": "https://camel.apache.org/security/CVE-2026-45760.html",
    "id": "CVE-2026-45760",
    "bulletinFamily": "",
    "cwe": [
        "CWE-610",
        "CWE-639"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Camel K 2.0.0\nApache Software Foundation Apache Camel K 2.9.0\nApache Software Foundation Apache Camel K 2.10.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Camel K",
    "version": "2.0.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Apache Camel K: Camel K Cross-Namespace Build Deputy Attack_CVE-2026-45760