Skip to main content

Apache Camel CVE-2026-56140

| EUVDEUVD-2026-41852 CRITICAL
Improper Input Validation (CWE-20)
9.8
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.8 LOW
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
0.0 LOW

Producer-only component has no reachable inbound path, so no confidentiality, integrity, or availability impact actually applies; effectively unexploitable, yielding a near-zero base score.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:N
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 06, 2026 - 21:16 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 21:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 20:22 NVD
9.8 (CRITICAL)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 05, 2026 - 20:18 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Improper input validation (CWE-20) in the camel-aws2-sns component of Apache Camel stems from a missing inbound HeaderFilterStrategy rule on Sns2HeaderFilterStrategy, mirroring the flaw fixed in the sibling camel-aws2-sqs component (CVE-2026-46456). However, camel-aws2-sns is producer-only - Sns2Endpoint throws UnsupportedOperationException on createConsumer - so no externally-supplied SNS message attributes are ever mapped inbound into a Camel Exchange, leaving the missing filter rule unreachable by any attacker. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
No inbound consumer path in SNS
Exploit
External attributes never mapped to Exchange
Execution
Missing filter rule unreachable
Impact
No impact (theoretical only)

Vulnerability AssessmentAI

Exploitation There is no reachable exploitation condition in camel-aws2-sns because the component is producer-only: Sns2Endpoint.createConsumer throws UnsupportedOperationException ('You cannot receive messages from this endpoint'), so no externally-supplied SNS message attributes are ever mapped inbound into a Camel Exchange, and the missing inbound filter rule cannot be triggered by any attacker-supplied input. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a textbook case of a high raw CVSS score that does not reflect real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario No realistic attack scenario exists for camel-aws2-sns: the component only produces (publishes) messages to SNS and cannot consume, so an attacker cannot deliver crafted message attributes back into a Camel Exchange to inject control headers. The analogous exploitable scenario lives in the SQS sibling (CVE-2026-46456), where a message sender could inject Camel control headers via inbound message attributes mapped by Sqs2Consumer. …
Remediation Vendor-released patch: upgrade to 4.21.0, or 4.14.8 on the 4.14.x LTS stream, or 4.18.3 on the 4.18.x stream - all contain the CAMEL-23506 hardening change. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify all Apache Camel deployments using the camel-aws2-sns component; within 7 days: apply the vendor-released patch to all identified systems during normal maintenance windows; within 30 days: confirm patch deployment and regression-test SNS producer workflows.

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Camel

View all
CVE-2025-27636 MEDIUM POC
5.6 Mar 09

Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0

CVE-2014-0002 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file

CVE-2016-8749 CRITICAL POC
9.8 Mar 28

Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri

CVE-2014-0003 HIGH POC
7.5 Mar 21

The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo

CVE-2026-23552 CRITICAL POC
9.1 Feb 23

Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper

CVE-2026-25747 HIGH POC
8.8 Feb 23

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria

CVE-2026-40473 HIGH POC
8.8 Apr 27

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp

CVE-2019-0194 HIGH POC
7.5 Apr 30

Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely

CVE-2017-12634 CRITICAL
9.8 Nov 15

The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se

CVE-2015-5344 CRITICAL
9.8 Feb 03

The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb

CVE-2017-12633 CRITICAL
9.8 Nov 15

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s

CVE-2013-4330 MEDIUM
6.8 Oct 04

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb

Share

CVE-2026-56140 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy