Apache Software Foundation Apache Camel vulnerabilities

CVE-2026-23552 [CRITICAL] CWE-346 CVE-2026-23552: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.  The Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking te

CVE-2025-30177 [MEDIUM] CWE-164 CVE-2025-30177: Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditio Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions. This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6. Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS. Camel undertow component is vulnerable to Camel message header injec

CVE-2025-29891 [MEDIUM] CWE-164 Apache Camel: Camel Message Header Injection through request parameters Apache Camel: Camel Message Header Injection through request parameters Bypass/Injection vulnerability in Apache Camel. This issue affects Apache Camel: from 4.10.0 before 4.10.2, from 4.8.0 before 4.8.5, from 3.10.0 before 3.22.4. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability is present in Camel's def

CVE-2025-27636 [MEDIUM] CWE-178 CVE-2025-27636: Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue a Bypass/Injection vulnerability in Apache Camel components under particular conditions. This issue affects Apache Camel: from 4.10.0 through <= 4.10.1, from 4.8.0 through <= 4.8.4, from 3.10.0 through <= 3.22.3. Users are recommended to upgrade to version 4.10.2 for 4.10.x LTS, 4.8.5 for 4.8.x LTS and 3.22.4 for 3.x releases. This vulnerability i

CVE-2024-22371 [LOW] CWE-922 CVE-2024-22371: Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCr Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangeCreatedEvent that exposes sensitive data. Vulnerability in Apache Camel.This issue affects Apache Camel: from 3.21.X through 3.21.3, from 3.22.X through 3.22.0, from 4.0.X through 4.0.3, from 4.X through 4.3.0. Users are recommended to upgrade to version

CVE-2024-23114 [CRITICAL] CWE-502 CVE-2024-23114: Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRep Deserialization of Untrusted Data vulnerability in Apache Camel CassandraQL Component AggregationRepository which is vulnerable to unsafe deserialization. Under specific conditions it is possible to deserialize malicious payload.This issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.

CVE-2024-22369 [HIGH] CWE-502 CVE-2024-22369: Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apac Deserialization of Untrusted Data vulnerability in Apache Camel SQL ComponentThis issue affects Apache Camel: from 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. Users are recommended to upgrade to version 4.4.0, which fixes the issue. If users are on the 4.0.x LTS releases stream, then they are sugg

CVE-2018-8041 [MEDIUM] CWE-22 CVE-2018-8041: Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path tr Apache Camel's Mail 2.20.0 through 2.20.3, 2.21.0 through 2.21.1 and 2.22.0 is vulnerable to path traversal.

CVE-2018-8027 [CRITICAL] CWE-611 CVE-2018-8027: Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor. Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.

CVE-2017-12634 [CRITICAL] CWE-502 CVE-2017-12634: The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

CVE-2017-12633 [CRITICAL] CWE-502 CVE-2017-12633: The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

CVE-2016-8749 [CRITICAL] CWE-502 CVE-2016-8749: Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Executio Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks.

CVE-2017-5643 [HIGH] CWE-918 CVE-2017-5643: Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE.

CVE-2017-3159 [CRITICAL] CWE-502 CVE-2017-3159: Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws.