cbcvebase.
CVE-2026-47323
published 2026-05-19

CVE-2026-47323: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.43%
69.6th percentile
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

Affected

10 ranges
VendorProductVersion rangeFixed in
apachecamel>= 3.18.0 < 4.14.64.14.6
apachecamel>= 4.15.0 < 4.18.24.18.2
openshift-serverless-1kn-eventing-integrations-aws-ddb-streams-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-s3-source-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sns-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-sink-rhel9
openshift-serverless-1kn-eventing-integrations-aws-sqs-source-rhel9
openshift-serverless-1kn-eventing-integrations-log-sink-rhel9
openshift-serverless-1kn-eventing-integrations-timer-source-rhel9

Detection & IOCsextracted from sources · hover to see the quote

  • Detect injection of Camel-internal header 'CamelExecCommandExecutable' in inbound HTTP requests to CXF-RS or CXF-SOAP endpoints, which can trigger remote code execution via camel-exec
  • Detect injection of Camel-internal header 'CamelFileName' in inbound HTTP requests to CXF-RS or CXF-SOAP endpoints, which can trigger arbitrary file writes via camel-file
  • Monitor for HTTP requests containing headers prefixed with 'Camel' arriving at CXF-RS, CXF-SOAP, or Knative HTTP endpoints — these should be blocked by inbound filtering (setInFilterStartsWith) but are passed through in vulnerable versions
  • Audit routes where CxfRsHeaderFilterStrategy (camel-cxf-rest), CxfHeaderFilterStrategy (camel-cxf-transport), or KnativeHttpHeaderFilterStrategy (camel-knative-http) are used as the inbound entry point and messages are forwarded to camel-exec or camel-file components
  • Flag Apache Camel deployments running versions from 3.18.0 before 4.14.6, or from 4.15.0 before 4.18.2, as vulnerable to this header injection RCE
  • ·The vulnerability exists because setInFilterStartsWith is not configured on the affected HeaderFilterStrategy implementations; defenders should verify that inbound header filtering is explicitly set in CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy
  • ·camel-cxf-transport in Red Hat build of Apache Camel 4 for Quarkus 3, Red Hat Fuse 7, Red Hat JBoss EAP Expansion Pack, and Red Hat Process Automation 7 are listed as NOT affected; detection and patching priority should focus on Red Hat build of Apache Camel for Spring Boot 4 and OpenShift Serverless deployments
  • ·No mitigation short of upgrading is available per Red Hat; WAF rules blocking inbound HTTP headers matching 'Camel*' prefix on CXF/Knative endpoints should be considered as a compensating control until patching
  • ·This is the same header-injection pattern as CVE-2025-30177 (camel-undertow), CVE-2025-27636, CVE-2025-29891 (broader incoming-header filter), and CVE-2026-40453 (non-HTTP strategies); existing detections for those CVEs may be partially applicable here

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa5.6MEDIUM
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.