CVE-2026-56140
Received Received - Intake

Improper Input Validation in Apache Camel AWS SNS

Vulnerability report for CVE-2026-56140, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Input Validation vulnerability in Apache Camel AWS SNS component. The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, 'You cannot receive messages from this endpoint'), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
apache camel to 4.14.8 (exc)
apache camel to 4.18.3 (exc)
apache camel to 4.21.0 (exc)
apache camel 4.14.8
apache camel 4.18.3
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-56140 is an Improper Input Validation vulnerability in the Apache Camel framework's camel-aws2-sns component. This component filters Camel headers using a specific strategy called Sns2HeaderFilterStrategy. Originally, it only filtered outbound headers and did not filter inbound headers. However, unlike a related component (camel-aws2-sqs) which had an exploitable inbound filtering gap, camel-aws2-sns is producer-only and does not support consumers, so no inbound message attributes are mapped into the Camel Exchange. Therefore, the missing inbound filter was not exploitable. The vulnerability was addressed by adding an inbound filter rule to align with sibling components as a defense-in-depth measure, even though no known exploit path exists.

Impact Analysis

This vulnerability poses no known exploit path in the camel-aws2-sns component because it is producer-only and does not accept inbound messages that could carry malicious headers. The fix is a defense-in-depth hardening change to prevent potential future issues similar to those found in related components. Therefore, there is no urgent impact or required workaround. Users are advised to upgrade to fixed versions for aligned behavior, but the risk of exploitation is currently theoretical.

Detection Guidance

This vulnerability involves an internal component-specific header filtering strategy in the Apache Camel camel-aws2-sns component and does not have a known exploit path or inbound message injection vector.

Because camel-aws2-sns is producer-only and does not support consumers, there is no externally supplied inbound message attribute mapping that could be detected on the network or system.

Therefore, there are no specific detection commands or network/system indicators available to identify this vulnerability in operation.

Mitigation Strategies

No urgent action or workaround is required for this vulnerability as there is no known exploit path in the camel-aws2-sns component.

To align with the defense-in-depth hardening change, users should upgrade affected Apache Camel versions to one of the fixed releases: 4.14.8, 4.18.3, or 4.21.0 depending on their release stream.

As a general best practice, operators should continue to apply least-privilege IAM permissions on their AWS SNS topics to reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56140. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart