CVE-2026-45760

CVE-2026-45760: Apache Camel K: Camel K Cross-Namespace Build Deputy Attack

Vendor Apache Software Foundation

Product Apache Camel K

Weakness CWE-610

Published May 21, 2026

Last update May 23, 2026

View on NVD All CVEs

CVSS base score

—

What the vulnerability does

Description

(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.

Key dates

Disclosure timeline

May 21, 2026 CVE published

May 23, 2026 Record updated

Identifiers

CVE CVE-2026-45760

CWE CWE-610

Affected versions

Vendor Apache Software Foundation

Product Apache Camel K

Affected ≥ 2.0.0 and < 2.8.1

Vendor Apache Software Foundation

Product Apache Camel K

Affected ≥ 2.9.0 and < 2.9.2

Vendor Apache Software Foundation

Product Apache Camel K

Affected ≥ 2.10.0 and < 2.10.1