CVE-2026-45760 PUBLISHED

Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

Assigner: apache
Reserved: 13.05.2026 Published: 21.05.2026 Updated: 21.05.2026

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.

This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Camel K
Versions	Default: unaffected affected from 2.0.0 to 2.8.1 (excl.) affected from 2.9.0 to 2.9.2 (excl.) affected from 2.10.0 to 2.10.1 (excl.)

Credits

@j311yl0v3u (2439839508@qq.com) finder
@b0b0haha (603571786@qq.com) finder

References

https://camel.apache.org/security/CVE-2026-45760.html

Problem Types

CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) CWE
CWE-639 (Authorization Bypass Through User-Controlled Key) CWE