CVE-2026-33453
Header Injection in Apache Camel-Coap Enables Remote Code Execution
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | camel | 4.19.0 |
| apache | camel | 4.18.0 |
| apache | camel | From 4.14.0 (inc) to 4.14.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Apache Camel camel-coap component, where incoming CoAP request URI query parameters are directly mapped into Camel message headers without any filtering.
Because of this, an unauthenticated attacker can send a single CoAP UDP packet to a Camel route and inject arbitrary internal Camel headers (those prefixed with Camel*) into the message exchange.
When these messages are forwarded to header-sensitive producers like camel-exec, the injected headers can override executable commands and arguments, leading to remote code execution (RCE) on the system running Camel.
The attacker gains an interactive RCE channel through the CoAP response payload without needing any out-of-band data exfiltration.
How can this vulnerability impact me? :
This vulnerability can allow an unauthenticated attacker to execute arbitrary operating system commands on the server running the Apache Camel camel-coap component.
Since the attacker can inject headers that control the behavior of header-sensitive producers, they can manipulate the system to run malicious commands with the privileges of the Camel process.
This leads to a full remote code execution risk, potentially compromising the entire system, stealing data, disrupting services, or using the system as a foothold for further attacks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unexpected or unauthorized CoAP UDP packets sent to the default CoAP port (5683) targeting Apache Camel routes using the camel-coap component.
Since the vulnerability allows injection of Camel internal headers via CoAP URI query parameters, network detection should focus on unusual CoAP requests containing suspicious query parameters that could modify headers prefixed with Camel*.
Because CoAP uses UDP and does not have built-in authentication by default, traditional HTTP-layer WAF or IDS tools may not detect these packets.
Suggested commands to detect suspicious CoAP traffic include using packet capture tools such as tcpdump or Wireshark to filter UDP traffic on port 5683 and inspect query parameters:
- tcpdump -i <interface> udp port 5683 -vv -X
- wireshark filter: udp.port == 5683
Additionally, inspecting Apache Camel logs for unexpected header values or execution of commands via camel-exec or other header-sensitive producers may help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade Apache Camel to a fixed version that addresses this vulnerability, specifically version 4.18.1 or 4.19.0.
Until an upgrade can be applied, consider the following immediate actions:
- Restrict network access to the CoAP UDP port (default 5683) to trusted sources only, using firewall rules or network segmentation.
- Enable DTLS (Datagram Transport Layer Security) for CoAP communications to add authentication and encryption, reducing the risk of unauthenticated injection.
- Avoid using header-sensitive producers such as camel-exec, camel-sql, camel-bean, camel-file, or template components with routes consuming from the camel-coap component until the issue is fixed.
- Monitor logs for suspicious activity indicating header injection or unexpected command execution.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution through injection of arbitrary headers in Apache Camel's camel-coap component, potentially leading to unauthorized access and control over the system running Camel.
Such unauthorized access and execution could result in exposure or manipulation of sensitive data, which may violate data protection regulations like GDPR or HIPAA that require strict controls over data confidentiality, integrity, and access.
Because the vulnerability enables attackers to execute arbitrary OS commands with the privileges of the Camel process, it poses a significant risk to compliance by undermining security controls designed to protect personal or sensitive information.
Organizations using affected versions of Apache Camel should upgrade to fixed versions (4.18.1 or 4.19.0) to mitigate this risk and maintain compliance with relevant security standards and regulations.