VYPR
← All advisories
Unrated severityNVD Advisory· Published May 21, 2026

CVE-2026-45760

CVE-2026-45760

Description

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace.

This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Camel K fails to enforce namespace boundaries on Build resources, letting authorized users control Pod creation in other namespaces including the operator namespace.

Vulnerability

Apache Camel K versions 2.0.0 through 2.8.0, 2.9.0 through 2.9.1, and 2.10.0 are affected by an externally controlled reference and authorization bypass vulnerability [1]. A user authenticated to a Kubernetes namespace can craft a Build resource that specifies a target namespace for Pod generation, including the operator namespace, thereby bypassing intended namespace isolation [1].

Exploitation

An authenticated Kubernetes user with permission to create Build resources in at least one namespace can launch this attack. By setting a non-null cross-namespace reference in the Build spec, the attacker triggers Pod creation in an arbitrary namespace (e.g., camel-k-operator), bypassing standard namespace-scoped RBAC controls. No additional privileges beyond the ability to create Builds are required [1].

Impact

Successful exploitation permits the attacker to control Pod generation in a namespace outside their authorized scope, including the operator namespace. This can lead to privilege escalation, arbitrary code execution in the operator's security context, and compromise of cluster-wide resources managed by the Camel K operator [1].

Mitigation

The vulnerability is fixed in Camel K versions 2.8.1, 2.9.2, and 2.10.1, released 2026-05-21 [1]. Users running any affected version should upgrade immediately to the appropriate fixed release. No workaround is documented for older versions; upgrading is the only advised mitigation [1].

References
  1. Apache Camel Security Advisory - CVE-2026-45760

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Apache/Camel Kinferred2 versions
    >=2.0.0,<2.8.1 OR >=2.9.0,<2.9.2 OR >=2.10.0,<2.10.1+ 1 more
    • (no CPE)range: >=2.0.0,<2.8.1 OR >=2.9.0,<2.9.2 OR >=2.10.0,<2.10.1
    • (no CPE)range: <2.10.1 || ≥2.0.0 <2.8.1 || ≥2.9.0 <2.9.2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.