To see which versions of Apache Camel are supported please refer to this page.

For information on how to report a new security problem please see here.

Do not file a public JIRA ticket, open a public pull request, post on a mailing list, social media, or any other public channel for an unpublished vulnerability. Report only through the Apache Software Foundation Security team and follow their instructions.

This repository shares the same security model as Apache Camel core. Before submitting a report, please read the project's Security Model. It documents who is trusted, where the trust boundaries sit, which vulnerability classes the Camel PMC accepts, and which categories are out of scope (route-author or operator responsibility, explicit opt-ins, DoS through unthrottled routes, third-party transitive CVEs not reachable through Camel code, etc.).

camel-spring-boot is an auto-configuration layer that wraps Camel components with Spring Boot @ConfigurationProperties and lifecycle integration. It does not define its own trust boundaries, consumers, or deserialization paths. The Camel core security model applies directly.

Reports outside the documented scope will be closed with a reference to that document.