CVE-2026-49098
Received Received - Intake

Header Injection in Apache Camel Kafka Component

Vulnerability report for CVE-2026-49098, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation, Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') vulnerability in Apache Camel Kafka Component. The camel-kafka producer can override its configured target topic at runtime from the kafka.OVERRIDE_TOPIC Exchange header: KafkaProducer.evaluateTopic() returns the header value in preference to the topic configured on the endpoint. The control-header constants in KafkaConstants (for example OVERRIDE_TOPIC = kafka.OVERRIDE_TOPIC, OVERRIDE_TIMESTAMP = kafka.OVERRIDE_TIMESTAMP, PARTITION_KEY = kafka.PARTITION_KEY) used plain, non-Camel-prefixed values. camel-kafka's own KafkaHeaderFilterStrategy does filter the kafka.* namespace, but only on the Kafka-to-Exchange serialization boundary (reading Kafka record headers into the Exchange, and writing Exchange headers into a Kafka record); it does not apply to headers that arrive from an upstream consumer in a multi-component route. The upstream HTTP consumer uses HttpHeaderFilterStrategy, which blocks only the Camel / camel namespace, so a kafka.* header passes through unfiltered. As a result, in a route that bridges an HTTP consumer (for example platform-http) into a kafka: producer, any HTTP client could set the kafka.OVERRIDE_TOPIC header and cause the message to be published to an arbitrary Kafka topic instead of the configured one - redirecting it to a sensitive internal topic, or injecting attacker-crafted messages into a topic consumed by a critical downstream service. The related kafka.OVERRIDE_TIMESTAMP and kafka.PARTITION_KEY headers could likewise be injected to backdate messages or target specific partitions. No credentials are required when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set or read Kafka headers via the raw header names must use the CamelKafka* names (for example CamelKafkaOverrideTopic and CamelKafkaTopic) instead of the old kafka.* values. For deployments that cannot upgrade immediately, strip the kafka.* headers from any untrusted ingress before the kafka: producer (for example removeHeaders('kafka.*') at the start of the route), and set the target topic from a trusted source.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel 4.0.0
apache camel to 4.14.8 (inc)
apache camel 4.15.0
apache camel to 4.18.3 (inc)
apache camel 4.19.0
apache camel to 4.21.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Apache Camel camel-kafka component and involves improper input validation and neutralization of special elements, specifically header injection. The issue arises because certain Kafka header constants like kafka.OVERRIDE_TOPIC are not prefixed with 'CamelKafka' and thus bypass HTTP header filtering. This allows an attacker to set these headers via an HTTP client, causing messages to be published to arbitrary Kafka topics instead of the intended configured topic.

As a result, an attacker can redirect messages to sensitive internal topics or inject malicious messages into critical downstream services. Other headers like kafka.OVERRIDE_TIMESTAMP and kafka.PARTITION_KEY can also be manipulated to backdate messages or target specific partitions. This vulnerability exists in Apache Camel versions from 4.0.0 before 4.14.8, 4.15.0 before 4.18.3, and 4.19.0 before 4.21.0.

Impact Analysis

This vulnerability can have significant impacts including unauthorized redirection of Kafka messages to sensitive internal topics, which may lead to data exposure or leakage.

It also allows injection of attacker-crafted messages into Kafka topics consumed by critical downstream services, potentially causing data corruption, service disruption, or unauthorized actions.

Manipulation of message timestamps and partition keys can further disrupt message processing order or targeting, affecting system reliability and integrity.

No authentication is required when the bridging consumer is unauthenticated, increasing the risk of exploitation.

Detection Guidance

Detection of this vulnerability involves monitoring for the presence of kafka.* headers, such as kafka.OVERRIDE_TOPIC, in HTTP requests or messages that are routed to the camel-kafka producer component.

You can inspect incoming HTTP headers or Kafka message headers for suspicious kafka.* prefixed headers that should not be present or are being set by untrusted sources.

  • Use network packet capture tools (e.g., tcpdump or Wireshark) to filter HTTP traffic and look for headers starting with kafka.
  • On the system running Apache Camel, use logging or debugging features to log incoming headers and check for kafka.* headers.
  • If you have access to the Camel routes, add logging steps to output headers before the kafka: producer endpoint.
  • Example command to capture HTTP traffic and filter for kafka headers: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'kafka.'
Mitigation Strategies

The primary mitigation is to upgrade Apache Camel to a fixed version: 4.14.8, 4.18.3, or 4.21.0 depending on your release stream.

If immediate upgrade is not possible, implement a temporary mitigation by stripping kafka.* headers from any untrusted ingress before the kafka: producer endpoint.

  • Add a step in your Camel route to remove headers matching 'kafka.*' from incoming messages, for example: removeHeaders('kafka.*') at the start of the route.
  • Set the target Kafka topic from a trusted source rather than allowing it to be overridden by incoming headers.

After upgrading, update routes to use the new CamelKafka-prefixed header names (e.g., CamelKafkaOverrideTopic) instead of the old kafka.* headers to ensure proper filtering.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart