CVE-2026-46584
Received Received - Intake

Improper Input Validation in Apache Camel Mail Component

Vulnerability report for CVE-2026-46584, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel 4.14.8
apache camel 4.15.0
apache camel 4.18.3
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46584 is a vulnerability in the Apache Camel camel-mail component caused by improper input validation. The mail producer improperly applies attacker-supplied mail.smtp.* or mail.smtps.* headers as JavaMail session properties without filtering them. These headers can come from untrusted sources such as HTTP query parameters or JMS/Kafka messages. In versions before 4.19.0, this allows an attacker to redirect SMTP connections to a server they control and steal SMTP credentials. In versions 4.19.0 and later, the connection host is fixed, but other security settings can still be weakened, potentially allowing interception of outgoing messages.

Impact Analysis

This vulnerability can lead to exposure of sensitive information and weakening of transport security. In affected versions before 4.19.0, an attacker can redirect SMTP connections to their own server and capture the configured username and password, leading to credential theft. In later versions, while host redirection is prevented, attackers can still weaken security settings such as SSL trust or STARTTLS, potentially allowing interception of outgoing emails. Exploitation requires a route that passes untrusted input to the mail producer without removing these headers.

Detection Guidance

This vulnerability can be detected by monitoring for the presence of mail.smtp.* or mail.smtps.* headers being passed into the Apache Camel mail producer from untrusted sources. Since these headers are not filtered by default, inspecting message headers in routes that end with an smtp or smtps producer can reveal potential exploitation attempts.

To detect this on your system, you can check your Camel routes for any usage of mail producers that receive input from untrusted protocols (such as HTTP query parameters, JMS, or Kafka messages) without removing these headers.

Suggested commands or checks include:

  • Review Camel route definitions for mail producers and verify if removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') are applied before the mail producer.
  • Use logging or debugging to inspect message headers in routes that end with smtp/smtps producers to see if mail.smtp.* or mail.smtps.* headers are present.
  • If you have access to the running system, you can use Camel's JMX or management APIs to query message headers or route configurations.
Mitigation Strategies

The immediate mitigation steps are:

  • Upgrade Apache Camel to a fixed version: 4.14.8 for the 4.14.x LTS stream, 4.18.3 for the 4.18.x stream, or 4.21.0 or later.
  • After upgrading, ensure that the per-message override of JavaMail session properties from headers is disabled by default (useJavaMailSessionPropertiesFromHeaders=false). Enable it only on trusted endpoints.
  • If you cannot upgrade immediately, apply header stripping in your routes by adding removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') before the mail producer to prevent untrusted input from influencing mail session properties.
  • Even if the override option is enabled, always strip these headers on any path that carries untrusted input.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46584. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart