Skip to main content

Apache Camel CVE-2026-46457

| EUVDEUVD-2026-41831 HIGH
Improper Input Validation (CWE-20)
2026-07-06 apache GHSA-7v55-q9x3-83cj
7.5
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
7.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Network-reachable with no auth against the default unauthenticated NATS server (AV:N/PR:N/AC:L); impact is header override affecting integrity only (I:H, C:N/A:N).

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
Jul 06, 2026 - 21:33 vuln.today
v5 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:32 vuln.today
v4 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:32 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:31 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 20:22 NVD
7.5 (HIGH)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 06, 2026 - 09:34 vuln.today

DescriptionCVE.org

Improper Input Validation vulnerability in Apache Camel NATS component.

The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - unmodified onto the Camel message. A client able to publish to the consumed NATS subject can therefore inject arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. NATS message headers require NATS 2.2 or later, and the issue is reachable without credentials when the NATS server is configured without authentication (the NATS server default). This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound NATS messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and enable authentication on the NATS server so that only trusted clients can publish to the consumed subject.

AnalysisAI

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS client that can publish to a consumed subject to inject arbitrary Camel-internal control headers into the Exchange because the consumer's default DefaultHeaderFilterStrategy has no inbound filter rules. An attacker can override headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery to redirect HTTP producers, rename files, or alter queries in downstream route steps. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach unauthenticated NATS subject
Delivery
Publish message with forged Camel* header
Exploit
Consumer copies header into Exchange
Execution
Header propagates across route hops
Persist
Downstream producer honors injected control header
Impact
HTTP/file/SQL action redirected or overridden

Vulnerability AssessmentAI

Exploitation Requires the target to run the camel-nats component consuming from a NATS 2.2-or-later server (message-header support), and the attacker must be able to publish to the specific consumed NATS subject - reachable without credentials only when the NATS server is configured without authentication (the NATS default). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N, base 7.5) reflects a pure integrity impact: no confidentiality or availability loss, but high integrity impact via header override, reachable over the network with low complexity and no authentication. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach an unauthenticated NATS server publishes a message to a subject consumed by a Camel route, attaching a header such as CamelHttpUri=http://attacker/collect (or CamelFileName / CamelSqlQuery). Camel copies the header onto the Exchange, and when the message reaches a downstream HTTP, file, or SQL producer the injected value redirects the request, rewrites the output file path, or overrides the query. …
Remediation Vendor-released patch: upgrade to Apache Camel 4.21.0 on the main stream; 4.14.x LTS users should move to 4.14.8, and 4.18.x users to 4.18.3, per https://camel.apache.org/security/CVE-2026-46457.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all instances of Apache Camel versions 4.0.0-4.20.x using the camel-nats component and audit NATS broker authentication configuration to confirm whether default no-auth mode is active. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33453 CRITICAL POC
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40858 HIGH POC
8.8 Apr 27

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In

CVE-2026-47323 CRITICAL
9.8 May 19

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy im

CVE-2026-33454 CRITICAL
9.4 Apr 27

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the

CVE-2026-46590 HIGH
8.8 Jul 06

Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and

CVE-2026-27172 HIGH
8.8 Apr 27

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C

CVE-2026-46591 HIGH
8.2 Jul 06

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat

CVE-2026-43865 HIGH
8.1 Jul 06

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca

CVE-2026-40859 HIGH
8.1 Jul 06

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p

CVE-2026-42527 HIGH
8.1 Jul 06

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern b

CVE-2026-46592 HIGH
7.5 Jul 06

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0

CVE-2026-46588 HIGH
7.3 Jul 06

Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote atta

Share

CVE-2026-46457 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy