CVE-2026-33454
Camel-Mail Header Injection Allows Malicious Route Manipulation
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | camel | From 3.0.0 (inc) to 4.14.6 (exc) |
| apache | camel | From 4.15.0 (inc) to 4.18.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to inject Camel-specific headers into inbound emails, which can alter the behavior of downstream components in the Apache Camel route. This could potentially lead to unauthorized execution or manipulation of data processing within the application.
Such unauthorized manipulation and potential data integrity issues may impact compliance with standards and regulations like GDPR and HIPAA, which require strict controls over data processing, integrity, and security.
However, the provided information does not explicitly detail the direct impact on compliance frameworks or specific regulatory requirements.
Can you explain this vulnerability to me?
CVE-2026-33454 is a high-severity vulnerability in the Apache Camel-Mail component that occurs because the component improperly filters message headers when consuming emails.
Specifically, the MailHeaderFilterStrategy only filters outbound headers but does not filter inbound headers. This means that when Camel consumes mail (for example, via IMAP or POP3), inbound Camel-prefixed MIME headers are not filtered and are directly mapped into the Camel Exchange.
An attacker who can send an email to a mailbox monitored by such a Camel consumer can inject Camel-specific headers. These injected headers can influence downstream Camel components like camel-bean, camel-exec, or camel-sql, potentially altering the behavior of the Camel route and causing unintended execution or manipulation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to manipulate the behavior of Camel routes by injecting malicious Camel-specific headers into emails consumed by the application.
Such manipulation can lead to unintended execution of components downstream, such as camel-bean, camel-exec, or camel-sql, which may result in unauthorized actions, data manipulation, or other harmful effects within the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the injection of Camel-specific headers into inbound emails consumed by the Apache Camel-Mail component. Detection would involve monitoring mailboxes that are consumed by Camel applications for suspicious or unexpected Camel-prefixed MIME headers in inbound emails.
Since the vulnerability arises from unfiltered inbound headers, one approach is to inspect the raw email headers of messages received by the monitored mailbox for Camel-prefixed headers that should not normally be present.
There are no specific commands provided in the available resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Apache Camel-Mail component to a fixed version where the vulnerability is resolved.
- Upgrade to Apache Camel version 4.19.0 if you are using a general release.
- If you are on the 4.18.x LTS release stream, upgrade to version 4.18.1.
- If you are on the 4.14.x LTS release stream, upgrade to version 4.14.6.
These upgrades ensure that the MailHeaderFilterStrategy properly filters inbound headers via setInFilterStartsWith, preventing Camel-specific header injection.