CVE-2026-46456
Received Received - Intake

Improper Input Validation in Apache Camel AWS2-SQS

Vulnerability report for CVE-2026-46456, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and restrict who may send to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel to 4.14.8 (inc)
apache camel 4.15.0
apache camel to 4.18.3 (inc)
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an improper input validation issue in the Apache Camel camel-aws2-sqs component. It occurs because inbound message attributes from Amazon SQS are mapped into the Camel Exchange without proper filtering of headers. Specifically, the component's HeaderFilterStrategy only blocked certain headers on outbound messages but did not filter inbound headers. As a result, an attacker who can send messages to the SQS queue can inject arbitrary Camel control headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery. These injected headers can influence the behavior of downstream components in the message route, potentially redirecting HTTP requests, changing file names, or overriding SQL queries.

Impact Analysis

The impact of this vulnerability is that an attacker with permission to send messages to the affected SQS queue can manipulate the behavior of downstream producers in the Apache Camel route. This can lead to unauthorized redirection of HTTP requests, modification of file names, or alteration of SQL queries, depending on the route configuration. Such manipulation can disrupt normal application workflows, cause data corruption, or lead to unauthorized actions within the system.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Apache Camel to a fixed version: 4.14.8 if you are on the 4.14.x LTS stream, 4.18.3 if on the 4.18.x stream, or 4.21.0 for other versions.

If immediate upgrade is not possible, implement temporary workarounds by stripping Camel control headers from inbound messages before they reach any downstream producer. This can be done by removing headers matching 'Camel*' and 'camel*' at the start of the route (e.g., using removeHeaders('Camel*') and removeHeaders('camel*')).

Additionally, restrict who can send messages to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy to prevent unauthorized header injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46456. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart