Skip to main content

camel-salesforce CVE-2026-49099

| EUVDEUVD-2026-41845 MEDIUM
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
5.3
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
10.0 CRITICAL

AV:N and PR:N for unauthenticated HTTP boundary; S:C because exploitation crosses into Salesforce as a distinct system; A:L for potential destructive Apex calls without classic service availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 07, 2026 - 13:22 NVD
5.3 (MEDIUM)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 05, 2026 - 20:31 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Header injection in Apache Camel's camel-salesforce component allows any HTTP client to override SOQL queries, SOSL searches, Salesforce object targets, and Apex REST endpoints by setting non-Camel-prefixed Exchange headers that the framework's HttpHeaderFilterStrategy fails to block. Routes that bridge an HTTP consumer (such as platform-http) into a salesforce: producer are the attack surface; when that HTTP consumer is unauthenticated, exploitation requires zero attacker credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send HTTP request with injected sObjectQuery or apexUrl header
Delivery
Header name lacks Camel prefix, passes HttpHeaderFilterStrategy unchecked
Exploit
Camel Exchange delivers attacker header into salesforce: producer
Execution
AbstractSalesforceProcessor.getParameter() selects header over endpoint config
Persist
Salesforce executes attacker-controlled SOQL, CRUD, or Apex call
Impact
Data exfiltrated or destructive operation performed under integration user permissions

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific architectural conditions: (1) a Camel route must be configured that bridges an HTTP consumer component (platform-http, servlet, jetty, or any other HTTP-facing Camel consumer) directly into a salesforce: producer, and (2) the attacker must be able to send HTTP requests to that consumer - either because the consumer is intentionally unauthenticated or because the attacker holds any valid credential for it. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided in the input data, requiring independent assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an organization with a public-facing or internally-accessible Apache Camel integration route that accepts HTTP requests and proxies them to Salesforce crafts an HTTP request containing a custom 'sObjectQuery' header with an arbitrary SOQL statement such as 'SELECT Id, Name, AnnualRevenue FROM Account'. The header passes through HttpHeaderFilterStrategy unchecked because its name lacks the Camel prefix, AbstractSalesforceProcessor.getParameter() reads it in preference to the route's configured query, and Salesforce executes the injected SOQL under the integration user's credentials, returning account records to the attacker. …
Remediation Upgrade org.apache.camel:camel-salesforce to version 4.14.8 (for the 4.14.x LTS stream), 4.18.3 (for the 4.18.x stream), or 4.21.0 (latest), as confirmed by the Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-49099.html. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Apache Camel instances with HTTP-to-Salesforce routes using camel-salesforce component; disconnect or enforce authentication on vulnerable entry points. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Camel

View all
CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

CVE-2014-0002 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file

CVE-2016-8749 CRITICAL POC
9.8 Mar 28

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri

CVE-2014-0003 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo

CVE-2026-23552 CRITICAL POC
9.1 Feb 23

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper

CVE-2026-25747 HIGH POC
8.8 Feb 23

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria

CVE-2026-40473 HIGH POC
8.8 Apr 27

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp

CVE-2019-0194 HIGH POC
7.5 Apr 30

Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2017-12634 CRITICAL
9.8 Nov 15

The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se

CVE-2015-5344 CRITICAL
9.8 Feb 03

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb

CVE-2017-12633 CRITICAL
9.8 Nov 15

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s

CVE-2013-4330 MEDIUM
6.8 Oct 04

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb

Share

CVE-2026-49099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy