CVE-2026-46457
Received Received - Intake

Improper Input Validation in Apache Camel NATS Component

Vulnerability report for CVE-2026-46457, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation vulnerability in Apache Camel NATS component. The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - unmodified onto the Camel message. A client able to publish to the consumed NATS subject can therefore inject arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. NATS message headers require NATS 2.2 or later, and the issue is reachable without credentials when the NATS server is configured without authentication (the NATS server default). This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound NATS messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and enable authentication on the NATS server so that only trusted clients can publish to the consumed subject.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel to 4.14.8 (exc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.14.8
apache camel 4.18.3
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46457 is an Improper Input Validation vulnerability in the Apache Camel camel-nats component. The issue arises because inbound NATS message headers are mapped into the Camel Exchange without proper filtering, allowing attackers who can publish to the NATS subject to inject arbitrary Camel control headers.

These injected headers include internal control headers like CamelHttpUri, CamelFileName, or CamelSqlQuery, which can manipulate the behavior of downstream producers in the route, such as redirecting HTTP requests, changing file names, or altering SQL queries.

The root cause is that the default HeaderFilterStrategy does not filter Camel-specific headers on inbound messages, enabling header injection attacks.

Impact Analysis

If exploited, this vulnerability allows an attacker who can publish messages to the consumed NATS subject to inject arbitrary Camel control headers into the message flow.

This can lead to manipulation of downstream route behavior, such as redirecting HTTP producers, changing file names, or overriding SQL queries, potentially causing unauthorized actions or data manipulation.

The injected headers persist across internal route hops, increasing the scope of impact within the application.

The vulnerability is reachable without credentials if the NATS server is configured without authentication, which is the default setting.

Detection Guidance

This vulnerability involves the injection of arbitrary Camel control headers via inbound NATS message headers. Detection involves monitoring NATS messages for unexpected Camel control headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery being present in the message headers.

You can inspect NATS messages on the consumed subject to check if any Camel-specific headers are being injected. For example, using NATS CLI tools or custom scripts to subscribe to the relevant NATS subject and log or filter message headers for suspicious Camel* or camel* headers.

  • Use the NATS CLI to subscribe and inspect headers: nats sub <subject> --headers
  • Use scripting or logging in your Camel routes to detect if inbound messages contain Camel control headers before processing.
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

If upgrading immediately is not possible, you should strip Camel control headers from inbound NATS messages at the start of the route by removing headers matching 'Camel*' and 'camel*'.

Additionally, enable authentication on the NATS server to ensure only trusted clients can publish to the consumed subject, preventing unauthorized header injection.

  • Upgrade to Apache Camel 4.14.8, 4.18.3, or 4.21.0.
  • Add route steps to remove headers: removeHeaders('Camel*') and removeHeaders('camel*').
  • Enable authentication on the NATS server.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46457. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart