CVE-2026-40453
Received Received - Intake
Case-Sensitive Header Injection in Apache Camel Enables RCE

Publication date: 2026-04-27

Last updated on: 2026-04-28

Assigner: Apache Software Foundation

Description
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40453
EUVD
EUVD-2026-25791
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
apache camel 4.19.0
apache camel From 3.0.0 (inc) to 4.14.6 (exc)
apache camel From 4.15.0 (inc) to 4.18.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-178 The product does not properly account for differences in case sensitivity when accessing or determining the properties of a resource, leading to inconsistent results.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves the injection of case-variant Camel internal headers via JMS or equivalent producer access to a broker consumed by an Apache Camel route. Detection would involve monitoring JMS messages for suspicious headers that use case-variant forms of Camel internal headers such as variations of 'CamelExecCommandExecutable'.

Since the issue relates to case-sensitive filtering not applied to certain HeaderFilterStrategy implementations, you can detect potential exploitation by inspecting JMS message headers for unusual or unexpected header names starting with case-variant 'Camel' prefixes.

Suggested commands or approaches include:

  • Use JMS broker management or monitoring tools to list message headers and filter for headers with names that start with case-variant 'Camel' strings (e.g., 'CAmelExecCommandExecutable').
  • If using command-line tools like `jms-tool` or broker-specific CLI, run commands to browse or consume messages and inspect headers for suspicious case-variant Camel headers.
  • Enable detailed logging on Apache Camel routes that consume JMS messages to log incoming headers and detect any case-variant Camel internal headers.
  • Use network packet capture tools (e.g., tcpdump, Wireshark) to capture JMS traffic and analyze message headers for case-variant Camel header names.

No specific commands are provided in the available resources, but these general approaches can help detect attempts to exploit this vulnerability.

Compliance Impact

The provided information does not specify how CVE-2026-40453 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-40453 is a medium severity security vulnerability in Apache Camel caused by an incomplete fix for a previous issue (CVE-2025-27636). The original fix added a method call setLowerCase(true) to the HttpHeaderFilterStrategy to filter out case-variant header names. However, this fix was not applied to five non-HTTP HeaderFilterStrategy implementations, which use case-sensitive filtering while Camel stores headers in a case-insensitive map.

Because of this discrepancy, an attacker with JMS or equivalent producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers. These headers are then resolved by downstream components such as camel-exec and camel-file using their canonical casing, enabling remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components.

Impact Analysis

This vulnerability allows an attacker with JMS or equivalent producer access to inject specially crafted headers that can lead to remote code execution and arbitrary file writes on affected Apache Camel routes. This means an attacker could execute malicious code remotely or modify files on the system where the Camel routes are running, potentially compromising the integrity and security of the affected system.

Mitigation Strategies

To mitigate this vulnerability, users should upgrade Apache Camel to a fixed version where the issue is resolved.

  • Upgrade to Apache Camel version 4.20.0 if possible.
  • If using the 4.14.x LTS release stream, upgrade to version 4.14.6.
  • If using the 4.18.x release stream, upgrade to version 4.18.2.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart