CVE-2026-45760

HIGH

Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

Title source: cna
STIX 2.1

Description

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

References (2)

Core 2

Scores

CVSS v3 8.1
EPSS 0.0032
EPSS Percentile 24.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-610 CWE-639
Status published
Products (6)
apache/camel-k 0 - 2.8.1Go
apache/camel-k 2.10.0 - 2.10.1Go
apache/camel-k 2.9.0 - 2.9.2Go
Apache Software Foundation/Apache Camel K 2.0.0 - 2.8.1
Apache Software Foundation/Apache Camel K 2.10.0 - 2.10.1
Apache Software Foundation/Apache Camel K 2.9.0 - 2.9.2
Published May 21, 2026
Tracked Since May 21, 2026