CVE-2026-49099
Received Received - Intake

Authorization Bypass in Apache Camel Salesforce Component

Vulnerability report for CVE-2026-49099, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel to 4.14.8 (exc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.14.8
apache camel 4.18.3
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Apache Camel camel-salesforce component and involves improper neutralization of special elements in output used by a downstream component, leading to an injection and authorization bypass issue.

Specifically, the component reads operation parameters such as SOQL queries, SOSL searches, target SObject names and IDs, Apex REST URLs and methods, and Apex query parameters from Exchange message headers. These headers use plain, non-Camel-prefixed names (e.g., sObjectQuery, apexUrl) that bypass HTTP header filtering.

Because these headers are not filtered, an attacker can send HTTP requests with specially crafted headers to override intended Salesforce operations. This allows unauthorized injection of SOQL/SOSL queries, modification of target SObjects for CRUD operations, or redirection of Apex REST calls, all executed with the full permissions of the connected Salesforce user.

No authentication is required from the attacker if the bridging HTTP consumer is unauthenticated, making it possible to exploit this vulnerability remotely.

Impact Analysis

This vulnerability can lead to unauthorized data access and manipulation within your Salesforce environment.

  • Attackers can inject malicious SOQL or SOSL queries to read sensitive data from any SObject accessible by the connected Salesforce user.
  • They can override target SObject names and IDs to perform unauthorized create, read, update, or delete (CRUD) operations.
  • Attackers can redirect Apex REST calls to different endpoints and HTTP methods, potentially executing destructive operations.

All these actions are performed with the full permissions of the connected Salesforce integration user, which typically has broad access, increasing the risk and impact.

If the HTTP consumer bridging to the salesforce producer is unauthenticated, no credentials are needed from the attacker, making exploitation easier.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to routes bridging an HTTP consumer (such as platform-http) into a salesforce: producer for the presence of non-Camel-prefixed Salesforce control headers like sObjectQuery, sObjectSearch, sObjectName, sObjectId, apexUrl, apexMethod, or apexQueryParam.* in the inbound HTTP requests.

Detection commands could include inspecting HTTP traffic or logs for these headers or using network monitoring tools to filter requests containing these header names.

  • Use tools like tcpdump or Wireshark to capture HTTP traffic and filter for headers such as 'sObjectQuery' or 'apexUrl'.
  • Use curl or similar HTTP clients to test endpoints by sending requests with these headers and observe if they are accepted or cause unexpected behavior.
  • Check application logs or Camel route logs for unexpected Salesforce operation parameters being set from HTTP headers.
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to a fixed version: 4.14.8 for the 4.14.x LTS stream, 4.18.3 for the 4.18.x stream, or 4.21.0 or later for other versions.

If upgrading immediately is not possible, sanitize incoming HTTP requests by stripping Salesforce control headers with non-Camel-prefixed names before they reach the salesforce: producer.

  • Remove headers matching 'sObject*' and 'apex*' at the start of the route using Camel's removeHeaders method.
  • Set Salesforce operation parameters only from trusted sources rather than from raw HTTP headers.

After upgrading, update routes to use the new CamelSalesforce* header names (e.g., CamelSalesforceSObjectQuery) instead of the old sObject* or apex* headers to ensure proper HTTP header filtering.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49099. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart