Issued:
2026-06-10
Updated:
2026-06-10

RHSA-2026:25089 - Important: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 Release and security update.


Synopsis

Important: HawtIO 4.4.0 for Red Hat build of Apache Camel 4 Release and security update.

Type/Severity

Security Advisory Important

Topic

HawtIO 4.4.0 for Red Hat build of Apache Camel 4 GA Release is now available.

The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

HawtIO 4.4.0 for Red Hat build of Apache Camel 4 GA Release is now available.

The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products.

  • spring boot: Remote code execution via timing attack in DevTools remote secret comparison [CVE-2026-40972]

  • axios: Invisible JSON Response Tampering via Prototype Pollution Gadget [CVE-2026-42044]

  • spring-boot: Arbitrary Code Execution and Session Hijacking via predictable temporary directory [CVE-2026-40973]

  • io.hawt-project: fast-uri: Path traversal vulnerability allows bypass of security policies [CVE-2026-6321]

  • axios: Authentication bypass due to prototype pollution of HTTP error handling [CVE-2026-42041]

  • axios: Denial of Service via unbounded recursion in toFormData with deeply nested request data [CVE-2026-42039]

  • axios: NO_PROXY bypass via crafted URL [CVE-2026-42043]

  • axios: HTTP Transport Hijacking via Prototype Pollution [CVE-2026-42033]

  • spring-boot: Weak pseudo-random number generation can lead to information disclosure. [CVE-2026-40975]

  • io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests [CVE-2026-39852]

  • jetty-ee10-webapp: early return from the JASPIAuthenticator class without clearing ThreadLocal variables [CVE-2026-5795]

  • jetty-ee10-servlet: early return from the JASPIAuthenticator class without clearing ThreadLocal variables [CVE-2026-5795]

  • spring-boot: Authentication bypass via misconfigured Health Group additional path [CVE-2026-22731]

  • jetty-server: Eclipse Jetty: Denial of Service due to unreleased JDK Inflater from compressed HTTP requests [CVE-2026-1605]

  • vertx-core: static handler component cache can be manipulated to deny the access to static files [CVE-2026-1002]

  • io.hawt-project: prototype pollution in _.unset and _.omit functions [CVE-2025-13465]

  • hawtio-operator-container: golang: Denial of Service due to excessive resource consumption via crafted certificate [CVE-2025-61729]

  • hawtio-operator-container: Memory exhaustion in query parameter parsing in net/url [CVE-2025-61726]

  • axios:Arbitrary HTTP header injection via prototype pollution [CVE-2026-42035]

  • jetty-http: HTTP request smuggling via chunked extension quoted-string parsing [CVE-2026-2332]

  • hawtio-operator-container: Go: Denial of Service vulnerability in certificate chain building [CVE-2026-32280]

  • hawtio-operator-container: Go crypto/x509: Certificate validation bypass due to incorrect DNS constraint application [CVE-2026-33810]

  • hawtio-operator-container: Go crypto/x509: Denial of Service via inefficient certificate chain validation [CVE-2026-32281]

  • hawtio-operator-container: Root.Chmod can follow symlinks out of the root [CVE-2026-32282]

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat Build of Apache Camel1x86_64

Fixes

(none)

CVEs

References


Additional information