Skip to main content

Apache Camel EUVDEUVD-2026-30895

| CVE-2026-47323 CRITICAL
Improper Handling of Case Sensitivity (CWE-178)
2026-05-19 apache GHSA-8364-hfqj-pwm6
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Red Hat
9.8 CRITICAL
qualitative

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 20, 2026 - 17:23 vuln.today
CVSS changed
May 20, 2026 - 17:22 NVD
9.8 (CRITICAL)
Patch available
May 19, 2026 - 14:02 EUVD
CVE Published
May 19, 2026 - 12:25 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 8 maven packages depend on org.apache.camel:camel-cxf-rest (3 direct, 5 indirect)

Ecosystem-wide dependent count for version 3.18.0.

DescriptionCVE.org

Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering

The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453).

This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2.

Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

AnalysisAI

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy implementations filtering only outbound Camel-internal headers while leaving inbound traffic unfiltered, letting unauthenticated attackers inject control headers such as CamelExecCommandExecutable and CamelFileName through HTTP requests to CXF-RS, CXF-SOAP, or Knative HTTP endpoints. When such routes pipe into header-driven components like camel-exec or camel-file, the injected headers override configured values, yielding RCE or arbitrary file writes. No public exploit identified at time of analysis, but EPSS sits at only 0.04% despite the 9.8 CVSS - this is the fifth iteration of the same header-injection pattern (CVE-2025-27636, 2025-29891, 2025-30177, 2026-40453), so prior PoCs for sibling CVEs are likely portable.

Technical ContextAI

Apache Camel is an enterprise integration framework that routes and transforms messages across components; HeaderFilterStrategy classes are responsible for deciding which headers flow into and out of routes. The vulnerable classes - CxfRsHeaderFilterStrategy (camel-cxf-rest), CxfHeaderFilterStrategy (camel-cxf-transport), and KnativeHttpHeaderFilterStrategy (camel-knative-http) - call setOutFilterStartsWith to strip Camel-internal headers (those prefixed with 'Camel' or 'org.apache.camel') leaving the route, but never call the symmetric setInFilterStartsWith on the inbound path. This maps to CWE-178 (Improper Handling of Case Sensitivity) as registered, though the underlying defect is more precisely an asymmetric header allowlist that lets externally-supplied HTTP headers be treated as internal control metadata, weaponized through components like camel-exec (which honors CamelExecCommandExecutable to choose what binary to spawn) and camel-file (which honors CamelFileName to choose what path to write).

RemediationAI

Vendor-released patch: upgrade to Apache Camel 4.19.0 on the main stream, 4.18.2 on the 4.18.x LTS stream, or 4.14.6 on the 4.14.x LTS stream, per the Apache advisory at https://camel.apache.org/security/CVE-2026-47323.html. If immediate patching is not possible, the most direct compensating control is to configure a custom HeaderFilterStrategy on each CXF-RS, CXF-SOAP, and Knative HTTP consumer endpoint that explicitly calls setInFilterStartsWith with the 'Camel' and 'org.apache.camel.' prefixes - replicating the upstream fix in-place. Alternatively, place an upstream reverse proxy or WAF that strips any inbound HTTP header beginning with 'Camel' (case-insensitive) before requests reach the Camel listener; side effect is that legitimate clients depending on those prefixes will break, which is rare. As a last resort, decouple vulnerable routes by removing camel-exec and camel-file (and any other header-driven sinks) from any route fed by an exposed CXF or Knative HTTP endpoint, accepting reduced functionality until patched.

CVE-2026-33453 CRITICAL POC
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40858 HIGH POC
8.8 Apr 27

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In

CVE-2026-33454 CRITICAL
9.4 Apr 27

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the

CVE-2026-46590 HIGH
8.8 Jul 06

Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and

CVE-2026-27172 HIGH
8.8 Apr 27

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C

CVE-2026-46591 HIGH
8.2 Jul 06

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat

CVE-2026-43865 HIGH
8.1 Jul 06

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca

CVE-2026-40859 HIGH
8.1 Jul 06

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p

CVE-2026-42527 HIGH
8.1 Jul 06

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern b

CVE-2026-46457 HIGH
7.5 Jul 06

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS c

CVE-2026-46592 HIGH
7.5 Jul 06

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0

CVE-2026-46588 HIGH
7.3 Jul 06

Improper input validation in Apache Camel (versions through 4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.0) allows remote atta

Vendor StatusVendor

Share

EUVD-2026-30895 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy