GHSA-gcc7-c8mp-34qx
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AV:N and PR:N for unauthenticated HTTP boundary; S:C because exploitation crosses into Salesforce as a distinct system; A:L for potential destructive Apex calls without classic service availability impact.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description PRE-NVD
Articles & Coverage 4
AnalysisAI
Header injection in Apache Camel's camel-salesforce component allows any HTTP client to override SOQL queries, SOSL searches, Salesforce object targets, and Apex REST endpoints by setting non-Camel-prefixed Exchange headers that the framework's HttpHeaderFilterStrategy fails to block. Routes that bridge an HTTP consumer (such as platform-http) into a salesforce: producer are the attack surface; when that HTTP consumer is unauthenticated, exploitation requires zero attacker credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific architectural conditions: (1) a Camel route must be configured that bridges an HTTP consumer component (platform-http, servlet, jetty, or any other HTTP-facing Camel consumer) directly into a salesforce: producer, and (2) the attacker must be able to send HTTP requests to that consumer - either because the consumer is intentionally unauthenticated or because the attacker holds any valid credential for it. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided in the input data, requiring independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an organization with a public-facing or internally-accessible Apache Camel integration route that accepts HTTP requests and proxies them to Salesforce crafts an HTTP request containing a custom 'sObjectQuery' header with an arbitrary SOQL statement such as 'SELECT Id, Name, AnnualRevenue FROM Account'. The header passes through HttpHeaderFilterStrategy unchecked because its name lacks the Camel prefix, AbstractSalesforceProcessor.getParameter() reads it in preference to the route's configured query, and Salesforce executes the injected SOQL under the integration user's credentials, returning account records to the attacker. … |
| Remediation | Upgrade org.apache.camel:camel-salesforce to version 4.14.8 (for the 4.14.x LTS stream), 4.18.3 (for the 4.18.x stream), or 4.21.0 (latest), as confirmed by the Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-49099.html. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Apache Camel instances with HTTP-to-Salesforce routes using camel-salesforce component; disconnect or enforce authentication on vulnerable entry points. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41845