A newly disclosed vulnerability in Apache Camel’s MongoDB GridFS component could allow remote attackers to delete files, enumerate storage buckets, or read sensitive data simply by manipulating HTTP headers.
Tracked as CVE-2026-48204, the flaw carries a moderate severity rating but exposes a subtle and dangerous gap in how Camel’s header-filtering logic interacts with GridFS operations.
The issue lives in camel-mongodb-gridfs, a component that enables Camel routes to perform file operations on MongoDB’s GridFS storage system. When a route doesn’t explicitly set an operation parameter on the GridFS endpoint, which is the default behavior, Camel falls back to reading the operation from an Exchange header called gridfs.operation.
Here’s the core problem: Camel’s HttpHeaderFilterStrategy is designed to block headers in the Camel/camel namespace from crossing the HTTP boundary, preventing external clients from injecting internal routing controls.
But the GridFS constants gridfs.operation, gridfs.objectid, gridfs.metadata, gridfs.chunksize, and gridfs.fileid don’t use that prefix. They sailed straight through the filter untouched.
In any route that bridges an HTTP consumer (like platform-http) into a mongodb-gridfs: producer without a hardcoded operation, an attacker could send a crafted HTTP request setting gridfs.operation to values like:
- `remove` – deletes a file identified by an attacker-supplied `gridfs.objectid`
- `listAll` – enumerates every file in the bucket
- `findOne` – reads arbitrary file contents
Worse, the `gridfs.metadata` header gets parsed directly as a MongoDB document, opening the door to NoSQL operator injection. If the bridging HTTP consumer lacks authentication, no credentials are needed at all; an attacker just needs network access to the endpoint.
[INSERT ORIGINAL QUOTE/OPINION]
The vulnerability spans three release lines:
- 4.0.0 through 4.14.7
- 4.15.0 through 4.18.2
- 4.19.0 through 4.20.x (before 4.21.0)
Any deployment using `camel-mongodb-gridfs` in a route that accepts untrusted HTTP input without explicitly pinning the GridFS operation is potentially exposed.
Apache has patched the issue by renaming the internal constants to use proper Camel-prefixed names: `CamelGridFsOperation`, `CamelGridFsObjectId`, `CamelGridFsMetadata`, `CamelGridFsChunkSize`, and `CamelGridFsFileId`. These now correctly fall under the HTTP header filter’s protection.
Organizations should upgrade to:
- 4.21.0 for the mainline release
- 4.14.8 for the 4.14.x LTS stream
- 4.18.3 for the 4.18.x stream
After upgrading, any custom code or configuration referencing the old `gridfs.` header names must be updated to the new `CamelGridFs` equivalents, or the operation override will silently stop working.
For teams unable to patch immediately, two mitigations reduce risk significantly: explicitly set the `operation` parameter on the `mongodb-gridfs:` endpoint so it’s never sourced from a header, and strip all `gridfs.*` headers from untrusted ingress traffic before it reaches the producer.
Security researcher Yu Bao of PayPal identified and reported the flaw, with Apache Camel committer Andrea Cosentino developing the fix. The disclosure was published via the oss-security mailing list and Apache’s official security advisory on July 5, 2026.
This case underscores a recurring theme in integration-framework security: naming conventions aren’t cosmetic. A single missing prefix turned an internal control header into an externally reachable attack surface a reminder that header-filtering logic is only as strong as its naming discipline.