cbcvebase.
CVE-2026-40453
published 2026-04-27

CVE-2026-40453: The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are…

PriorityP268critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.86%
53.9th percentile
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Affected

12 ranges
VendorProductVersion rangeFixed in
apachecamel
apachecamel>= 3.0.0 < 4.14.64.14.6
apachecamel>= 3.18.0 < 4.14.64.14.6
apachecamel>= 4.15.0 < 4.18.24.18.2
openshift-serverless-1kn-eventing-integrations-aws-ddb-streams-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sns-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-source-rhel9
openshift-serverless-1kn-eventing-integrations-log-sink-rhel9
openshift-serverless-1kn-eventing-integrations-timer-source-rhel9

Detection & IOCsextracted from sources · hover to see the quote

otherCAmelExecCommandExecutable
otherCamelExecCommandExecutable
  • Monitor JMS messages for headers whose names match Camel internal header prefixes in case-variant form (e.g. 'CAmel', 'cAMEL', 'camel' with mixed casing) targeting JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy, SjmsHeaderFilterStrategy, CoAPHeaderFilterStrategy, or GooglePubsubHeaderFilterStrategy — these strategies use case-sensitive String.startsWith('Camel'/'camel') and will not filter such variants.
  • Alert on Camel routes that forward JMS (or CoAP/Google Pub/Sub) messages to camel-exec or camel-file components where inbound header filtering is not enforced with setLowerCase(true); injected headers such as CamelExecCommandExecutable or CamelFileName can trigger RCE or arbitrary file write.
  • Audit Apache Camel deployments running versions 3.0.0–4.14.5, 4.15.0–4.18.1, or 4.19.0–4.19.x for use of JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy (camel-jms), SjmsHeaderFilterStrategy (camel-sjms), CoAPHeaderFilterStrategy (camel-coap), or GooglePubsubHeaderFilterStrategy (camel-google-pubsub) without setLowerCase(true).
  • As a temporary mitigation, disable Camel routes that allow arbitrary writes and executions via camel-exec and camel-file components until patched.
  • ·The vulnerability is a bypass of the CVE-2025-27636 fix: setLowerCase(true) was added to HttpHeaderFilterStrategy but omitted from the five non-HTTP strategies, leaving them vulnerable to case-variant header injection.
  • ·The attack requires only low privileges (JMS producer access to the broker) and low complexity, and its impact can extend beyond the Apache Camel component to the entire hosting server.
  • ·Affected Apache Camel version ranges: 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, 4.19.0 before 4.20.0. Fixed in 4.20.0, 4.14.6 (LTS), and 4.18.2.

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa5.6MEDIUM
vendor_redhat5.6MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.