CVE-2026-45760
HIGHApache Camel K: Camel K Cross-Namespace Build Deputy Attack
Title source: cnaDescription
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://camel.apache.org/security/CVE-2026-45760.html
Scores
CVSS v3
8.1
EPSS
0.0032
EPSS Percentile
24.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-610
CWE-639
Status
published
Products (6)
apache/camel-k
0 - 2.8.1Go
apache/camel-k
2.10.0 - 2.10.1Go
apache/camel-k
2.9.0 - 2.9.2Go
Apache Software Foundation/Apache Camel K
2.0.0 - 2.8.1
Apache Software Foundation/Apache Camel K
2.10.0 - 2.10.1
Apache Software Foundation/Apache Camel K
2.9.0 - 2.9.2
Published
May 21, 2026
Tracked Since
May 21, 2026