Do Son 
A newly disclosed vulnerability was found in Apache Camel K, a widely trusted open-source integration framework designed to help organizations connect disparate data systems with ease.
Dubbed CVE-2026-45760, this “Important” severity flaw introduces a dangerous cross-namespace “Build Deputy” attack vector that requires immediate attention from both infrastructure engineers and security leadership.
At its core, the vulnerability relies on an authorization bypass through a user-controlled key. In a properly locked-down Kubernetes cluster, namespaces act as rigid security boundaries to keep teams and applications safely isolated. CVE-2026-45760 shatters that isolation.
The flaw allows an already authorized user in one specific Kubernetes namespace to create a malicious Build resource. From there, they can manipulate and hijack Pod generation in completely different namespaces across the cluster—including the highly sensitive operator namespace.
If a standard user can dictate how and where pods are generated, they can effectively bypass multi-tenancy safeguards, potentially staging a broader cluster takeover.
Organizations running the following versions of Apache Camel K are currently at risk:
- 2.0.0 up to (but excluding) 2.8.1
- 2.9.0 up to (but excluding) 2.9.2
- 2.10.0 up to (but excluding) 2.10.1
The Apache Software Foundation has rolled out patched editions across all active release streams. System administrators should immediately migrate to one of the following safe versions:
- 2.10.1
- 2.9.2
- 2.8.1
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
