-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- ---
title: "Apache Camel Security Advisory - CVE-2026-45760"
date: 2026-05-18T09:00:00+02:00
url: /security/CVE-2026-45760.html
draft: false
type: security-advisory
cve: CVE-2026-45760
severity: HIGH
summary: "Camel K Cross-Namespace Build Deputy Attack"
description: "(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace."
mitigation: "Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue."
credit: "This issue was discovered by @j311yl0v3u (2439839508@qq.com) and @b0b0haha (603571786@qq.com)"
affected: "This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1."
fixed: 2.8.1, 2.9.2 and 2.10.1
- ---

The pull requests https://github.com/apache/camel-k/pull/6626 (2.10.x), https://github.com/apache/camel-k/pull/6627 (2.9.x) and https://github.com/apache/camel-k/pull/6629 (2.8.x) refer to the commits that resolved the issue, and have more details.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEDV4jKJJJXejlQHXMrtxqiqrKh1YFAmoLFW4ACgkQrtxqiqrK
h1bPQBAAtuADgjqNsw6jTNvVA0mbFKa5F1e62FpXWaanG1U6Ems+cWqLXPQuIZQm
SXEavU9wpO9CFD9bDs9b/nEnkH3gVFtn71z6hOgts7w7gU8beaVas7wVszUNtAnU
wqfqyULlwME/V5HytoTBbbn5BCJFOxEKz8a6ZQFFbPf+srLyzaP3iRugC7peUA3W
qTtjaYtgBzpVv24G197UcnAkh2kch1cIj7w02r4eX+pKVoyUVU/Lmf1ZQoWJ99tI
Pjl6qKqr1yT7G7sl46hHVjZDH8c62rOgaHpOcvRmV07hE+b8kGmrz7j/OakqT40k
KJULsoNTn4se+yOiJvax1ukdyQwg1GAvJF/TFHjxKwe9mWUvmClWRUtq+TLPG7at
LJw+zuQTuZPAv2oErwL0VBfV9VHlAxzobLdaz0IInuBf28HJEkSGleelO6TpS6hS
02ZqPeQAjTpo72LYyeOVVoWmoGo2woeCXx+F+CNMZEOPNx83a71aD5se9sK9Hwlh
XAyK/c7u/xp4j2CQKlv6xJJBE1Yb3NRq//xiVWSiCFYdlwi7BNQumotMxwdVO833
njGyUzUYh9i1Ke81Z6041k71aOOKqmkKSuCW9RFe48IOoGNJK3ni48FurFlVGiho
OiMHmt+hBj1QJYP9a0QqpPt9IgrjZ2UkcHz7lqAqB+b72qUujKQ=
=VNY5
-----END PGP SIGNATURE-----