CVE-2026-40453
published 2026-04-27CVE-2026-40453: The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are…
PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.86%
53.9th percentile
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components.
This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.
Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | — | — |
| apache | camel | >= 3.0.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 3.18.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| openshift-serverless-1 | kn-eventing-integrations-aws-ddb-streams-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sns-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-log-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-timer-source-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor JMS messages for headers whose names match Camel internal header prefixes in case-variant form (e.g. 'CAmel', 'cAMEL', 'camel' with mixed casing) targeting JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy, SjmsHeaderFilterStrategy, CoAPHeaderFilterStrategy, or GooglePubsubHeaderFilterStrategy — these strategies use case-sensitive String.startsWith('Camel'/'camel') and will not filter such variants. ↗
- →Alert on Camel routes that forward JMS (or CoAP/Google Pub/Sub) messages to camel-exec or camel-file components where inbound header filtering is not enforced with setLowerCase(true); injected headers such as CamelExecCommandExecutable or CamelFileName can trigger RCE or arbitrary file write. ↗
- →Audit Apache Camel deployments running versions 3.0.0–4.14.5, 4.15.0–4.18.1, or 4.19.0–4.19.x for use of JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy (camel-jms), SjmsHeaderFilterStrategy (camel-sjms), CoAPHeaderFilterStrategy (camel-coap), or GooglePubsubHeaderFilterStrategy (camel-google-pubsub) without setLowerCase(true). ↗
- →As a temporary mitigation, disable Camel routes that allow arbitrary writes and executions via camel-exec and camel-file components until patched. ↗
- ·The vulnerability is a bypass of the CVE-2025-27636 fix: setLowerCase(true) was added to HttpHeaderFilterStrategy but omitted from the five non-HTTP strategies, leaving them vulnerable to case-variant header injection. ↗
- ·The attack requires only low privileges (JMS producer access to the broker) and low complexity, and its impact can extend beyond the Apache Camel component to the entire hosting server. ↗
- ·Affected Apache Camel version ranges: 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, 4.19.0 before 4.20.0. Fixed in 4.20.0, 4.14.6 (LTS), and 4.18.2. ↗
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa5.6MEDIUM
vendor_redhat5.6MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
ghsa_unreviewed·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code executio
GHSA
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
ghsa·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as ca
GHSA
Apache Camel has an incomplete fix for CVE-2025-27636
ghsa·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CWE-178 Apache Camel has an incomplete fix for CVE-2025-27636
Apache Camel has an incomplete fix for CVE-2025-27636
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the bro
GHSA
GHSA-jg2m-9x48-3gvj: The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable'
ghsa_unreviewed·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CWE-178 GHSA-jg2m-9x48-3gvj: The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable'
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant C
Red Hat
Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
vendor_redhat·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CWE-178 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
A flaw was found in Apache Camel. A remote attacker with Java Message Service (JMS) producer access could exploit a vulnerability in how certain header filter strategies process case-variant internal headers. This discrepancy, where filtering is case-sensitive but header processing is not, allows for the injection of malicious headers. Consequently, this could lead to remote code execution and arbitrary file write on affected Camel routes.
Statement: This Critical flaw in Apache Camel allows remote code execution and arbitrary file write. An attacker with Java Message Service (JMS) producer access can exploit a discrepancy in header processing, where case-variant
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound f
bugzilla·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound f
CVE-2026-47323 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CX
Bugzilla
CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
bugzilla·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in
https://camel.apache.org/security/CVE-2026-40453.htmlhttps://access.redhat.com/errata/RHSA-2026:17668https://access.redhat.com/errata/RHSA-2026:19835https://access.redhat.com/security/cve/CVE-2026-40453https://bugzilla.redhat.com/show_bug.cgi?id=2463173https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40453.json
2026-04-27
Published