CVE-2026-33453
published 2026-04-27CVE-2026-33453: Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap…
PriorityP182critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
6.16%
92.6th percentile
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component.
Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec)
The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.
Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all.
As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process.
The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.
Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Bec
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | — | — |
| apache | camel | 4.14.0 – 4.14.5 | — |
| apache_software_foundation | apache_camel | — | — |
| apache_software_foundation | apache_camel | 4.14.0 – 4.14.5 | — |
| apache_software_foundation | apache_camel | >= 4.18.0 < 4.18.1 | 4.18.1 |
Detection & IOCsextracted from sources · hover to see the quote
commandCamelExecCommandExecutable=/bin/sh
commandCamelExecCommandArgs=-c 'echo <marker>'
othershodan: port:5683
otherfofa: protocol="coap"
- →Monitor for CoAP UDP packets on port 5683 containing URI query parameters with 'Camel*' prefixed header names (e.g. CamelExecCommandExecutable, CamelExecCommandArgs), which indicate header injection attempts against camel-coap routes. ↗
- →Alert on CoAP URI query parameters containing 'CamelExecCommandExecutable' or 'CamelExecCommandArgs', as these directly override the executable and arguments in camel-exec producers, enabling arbitrary OS command execution. ↗
- →Because the attack is UDP-based CoAP, HTTP-layer WAF/IDS controls will not detect or block exploitation; network monitoring must inspect UDP/5683 traffic directly. ↗
- →Look for unexpected process spawns (e.g. /bin/sh) originating from the Camel JVM process, which may indicate successful exploitation via injected CamelExecCommandExecutable headers. ↗
- →The PoC nuclei template matches response payloads containing the string 'VULNERABLE|' followed by 'CVE202633453'; monitor CoAP response payloads for these strings as indicators of active scanning.
- →Inspect CamelCoapResource.handleRequest() call sites: if OptionSet.getUriQuery() results are passed directly to camelExchange.getIn().setHeader() without HeaderFilterStrategy filtering, the endpoint is vulnerable. ↗
- ·DTLS (transport-layer security for CoAP) is optional and disabled by default, meaning most deployments expose the CoAP port without authentication, making exploitation trivial from any network-reachable host. ↗
- ·Exploitation only results in RCE if the Camel route forwards CoAP messages to a header-sensitive producer (camel-exec, camel-sql, camel-bean, camel-file, camel-freemarker, camel-velocity); routes not using such producers are not directly exploitable for RCE but are still vulnerable to header injection. ↗
- ·Affected versions are Apache Camel 4.14.0 through 4.14.5, 4.18.0 (before 4.18.1), and 4.19.0. Red Hat package 'apache-camel' (Red Hat Fuse 7) and 'camel-coap' (Red Hat Fuse 7) and 'camel-coap-starter' (Red Hat Fuse 7) are listed as Not Affected. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Apache camel-coap allows header injection that can lead to remote code execution
ghsa·2026-04-27
CVE-2026-33453 [CRITICAL] CWE-915 Apache camel-coap allows header injection that can lead to remote code execution
Apache camel-coap allows header injection that can lead to remote code execution
Apache Camel's camel-coap component is vulnerable to header injection because it maps CoAP request URI query parameters directly into Camel message headers without applying a HeaderFilterStrategy. An unauthenticated attacker can send a crafted CoAP request to inject arbitrary Camel internal headers into the exchange.
When a vulnerable route forwards that exchange to a header-sensitive downstream producer, the attacker may be able to control producer behavior. For example, in routes using camel-exec, injected headers can override the configured executable and arguments, which can result in arbitrary command execution with the privileges of the Camel process. Command output may be returned to the attacker in t
Red Hat
Apache Camel: camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection
vendor_redhat·2026-04-27·CVSS 10.0
CVE-2026-33453 [CRITICAL] CWE-915 Apache Camel: camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection
Apache Camel: camel-coap: Apache Camel camel-coap: Remote code execution via CoAP URI query parameter injection
A flaw was found in Apache Camel's camel-coap component. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted CoAP (Constrained Application Protocol) UDP (User Datagram Protocol) packet. The camel-coap component improperly processes URI query parameters, allowing the attacker to inject arbitrary internal Camel message headers. If the Camel route forwards these messages to a header-sensitive producer, such as camel-exec, it can lead to arbitrary operating system command execution with the privileges of the Camel process, providing an interactive remote code execution channel.
Package: camel-coap (Red Hat build of Apache Camel for Sprin
No detection rules found.
Nuclei
Apache Camel camel-coap - Remote Code Execution
nuclei·CVSS 10.0
CVE-2026-33453 [CRITICAL] Apache Camel camel-coap - Remote Code Execution
Apache Camel camel-coap - Remote Code Execution
Apache Camel camel-coap component 4.14.0-4.14.5, 4.18.0 before 4.18.1, and 4.19.0 contains a remote code execution caused by improper header filtering of CoAP URI query parameters, letting unauthenticated attackers inject headers and execute arbitrary OS commands via header-sensitive producers, exploit requires sending a single CoAP UDP packet.
Template:
id: CVE-2026-33453
info:
name: Apache Camel camel-coap - Remote Code Execution
author: DhiyaneshDK
severity: critical
description: |
Apache Camel camel-coap component 4.14.0-4.14.5, 4.18.0 before 4.18.1, and 4.19.0 contains a remote code execution caused by improper header filtering of CoAP URI query parameters, letting unauthenticated attackers inject headers and execute arbitrary OS com
https://camel.apache.org/security/CVE-2026-33453.htmlhttp://www.openwall.com/lists/oss-security/2026/04/26/3https://access.redhat.com/errata/RHSA-2026:17668https://access.redhat.com/security/cve/CVE-2026-33453https://bugzilla.redhat.com/show_bug.cgi?id=2463184https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-33453.json
2026-04-27
Published