Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Network-reachable via HTTP with no privileges; scope changes because SMTP credentials are exfiltrated to an external attacker-controlled system.
Primary rating from Vendor (apache).
CVSS VectorVendor: apache
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component.
The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.
AnalysisAI
Header injection in Apache Camel Mail Component enables attackers to override SMTP JavaMail session properties by supplying crafted headers in the mail.smtp./ mail.smtps. namespace through any untrusted inbound protocol - including HTTP query parameters, JMS, or Kafka - that feeds into a Camel route terminating at an SMTP producer. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a Camel route where: (1) an untrusted inbound protocol - such as platform-http (including unauthenticated HTTP endpoints), JMS, or Kafka from an untrusted producer pool - feeds messages into (2) a camel-mail smtp or smtps producer endpoint, (3) without an intervening removeHeaders('mail.smtp.*') or removeHeaders('mail.smtps.*') step or equivalent HeaderFilterStrategy. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is high for pre-4.19.0 deployments but requires a specific - if common - architectural pattern: untrusted input (HTTP, JMS, Kafka) flowing into a Camel route that writes to an SMTP producer without an intervening removeHeaders step. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sending an HTTP request to a public Camel platform-http endpoint includes the query parameter mail.smtp.host=attacker.example.com along with mail.smtp.port=25. The route processes the request and passes it to a camel-mail SMTP producer without a removeHeaders step; the producer builds a per-message JavaMail session using those values, redirects the SMTP connection to attacker.example.com, and authenticates using the endpoint's configured username and password - transmitting those credentials to the attacker. … |
| Remediation | The primary fix is to upgrade to a patched release: Apache Camel 4.21.0 (current), 4.14.8 (LTS stream), or 4.18.3, per the vendor advisory at https://camel.apache.org/security/CVE-2026-46584.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41832
GHSA-29vj-9mgp-mwp2