CVE-2026-45760

Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

Title source: cna

Description

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://camel.apache.org/security/CVE-2026-45760.html

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/21/8

Scores

EPSS 0.0003

EPSS Percentile 8.4%

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-610 CWE-639

Status published

Products (3)

Apache Software Foundation/Apache Camel K 2.0.0 - 2.8.1

Apache Software Foundation/Apache Camel K 2.10.0 - 2.10.1

Apache Software Foundation/Apache Camel K 2.9.0 - 2.9.2

Published May 21, 2026

Tracked Since May 21, 2026