CVE-2026-47323
published 2026-05-19CVE-2026-47323: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.43%
69.6th percentile
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453).
This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2.
Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | camel | >= 3.18.0 < 4.14.6 | 4.14.6 |
| apache | camel | >= 4.15.0 < 4.18.2 | 4.18.2 |
| openshift-serverless-1 | kn-eventing-integrations-aws-ddb-streams-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-s3-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sns-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-aws-sqs-source-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-log-sink-rhel9 | — | — |
| openshift-serverless-1 | kn-eventing-integrations-timer-source-rhel9 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect injection of Camel-internal header 'CamelExecCommandExecutable' in inbound HTTP requests to CXF-RS or CXF-SOAP endpoints, which can trigger remote code execution via camel-exec ↗
- →Detect injection of Camel-internal header 'CamelFileName' in inbound HTTP requests to CXF-RS or CXF-SOAP endpoints, which can trigger arbitrary file writes via camel-file ↗
- →Monitor for HTTP requests containing headers prefixed with 'Camel' arriving at CXF-RS, CXF-SOAP, or Knative HTTP endpoints — these should be blocked by inbound filtering (setInFilterStartsWith) but are passed through in vulnerable versions ↗
- →Audit routes where CxfRsHeaderFilterStrategy (camel-cxf-rest), CxfHeaderFilterStrategy (camel-cxf-transport), or KnativeHttpHeaderFilterStrategy (camel-knative-http) are used as the inbound entry point and messages are forwarded to camel-exec or camel-file components ↗
- →Flag Apache Camel deployments running versions from 3.18.0 before 4.14.6, or from 4.15.0 before 4.18.2, as vulnerable to this header injection RCE ↗
- ·The vulnerability exists because setInFilterStartsWith is not configured on the affected HeaderFilterStrategy implementations; defenders should verify that inbound header filtering is explicitly set in CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy ↗
- ·camel-cxf-transport in Red Hat build of Apache Camel 4 for Quarkus 3, Red Hat Fuse 7, Red Hat JBoss EAP Expansion Pack, and Red Hat Process Automation 7 are listed as NOT affected; detection and patching priority should focus on Red Hat build of Apache Camel for Spring Boot 4 and OpenShift Serverless deployments ↗
- ·No mitigation short of upgrading is available per Red Hat; WAF rules blocking inbound HTTP headers matching 'Camel*' prefix on CXF/Knative endpoints should be considered as a compensating control until patching ↗
- ·This is the same header-injection pattern as CVE-2025-30177 (camel-undertow), CVE-2025-27636, CVE-2025-29891 (broader incoming-header filter), and CVE-2026-40453 (non-HTTP strategies); existing detections for those CVEs may be partially applicable here ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa5.6MEDIUM
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Apache Camel up to 4.14.5/4.18.1 SOAP Endpoint case sensitivity
vuldb·2026-05-23·CVSS 9.8
CVE-2026-47323 [CRITICAL] Apache Camel up to 4.14.5/4.18.1 SOAP Endpoint case sensitivity
A vulnerability labeled as critical has been found in Apache Camel up to 4.14.5/4.18.1. Affected by this issue is some unknown functionality of the component SOAP Endpoint. Such manipulation leads to improper handling of case sensitivity.
This vulnerability is referenced as CVE-2026-47323. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
GHSA
GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
ghsa_unreviewed·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 GHSA-8364-hfqj-pwm6: Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHea
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code executio
GHSA
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
ghsa·2026-05-19·CVSS 5.6
CVE-2026-47323 [MEDIUM] CWE-178 Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering
Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering
The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith. As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as ca
Red Hat
camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound filtering
vendor_redhat·2026-05-19·CVSS 9.8
CVE-2026-47323 [CRITICAL] CWE-791 camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound filtering
camel: camel-cxf-rest: camel-cxf-transport: camel-knative-http: camel-exec: camel-file: camel-undertow: Apache Camel: Remote Code Execution via header injection due to missing inbound filtering
A flaw was found in Apache Camel. An unauthenticated attacker could inject Camel-internal headers via HTTP requests to CXF-RS or CXF-SOAP endpoints due to missing inbound filtering in the `HeaderFilterStrategy` implementations. This allows the attacker to override configured values when messages are forwarded to header-driven components like camel-exec or camel-file, potentially leading to remote code execution or arbitrary file writes.
Statement: This Critical flaw in Apache Camel allows an unauthenticated attacker to achieve remote code execution or arbitrary file writes. The vulnerability arise
No detection rules found.
No public exploits indexed.
2026-05-19
Published