EXECUTIVE SUMMARY:
Apache Camel has disclosed multiple message header injection vulnerabilities that can potentially lead to remote code execution (RCE) in certain deployments. The flaws stem from improper filtering of attacker-controlled headers or request parameters, allowing malicious values to be passed into internal Camel components such as camel-bean, camel-exec, camel-mail, or camel-coap. If vulnerable routes are internet-exposed or process untrusted input, attackers may manipulate route behavior, invoke unintended methods, execute commands, or redirect messages. Organizations using Apache Camel integrations should urgently review exposed services and update to fixed versions. CVE-2026-27172 with a CVSS score of 8.8 – It is a remote code execution vulnerability in Apache Camel’s camel-consul component caused by unsafe deserialization of data from the Consul KV store. An attacker with write access to the Consul KV backend can inject a malicious serialized object that executes code during Camel registry lookups. CVE-2026-40858 with a CVSS score of 8.8 – It is a vulnerability in the Apache Camel camel-infinispan component caused by unsafe deserialization using java.io.ObjectInputStream without input filtering. A crafted serialized object stored in the Infinispan cache can be triggered during aggregation operations such as get or recover. CVE-2026-40048 with a CVSS score of 7.8 – It reveals that the camel-pqc FileBased KeyLifecycle Manager deserializes .key files without restrictions. An attacker can exploit this by planting a “gadget chain” in the .key files, which executes code when the application attempts to load its keys. CVE-2026-33453 with a CVSS score of 10.0 – This flaw in the camel-coap component allows an attacker to send a single CoAP UDP packet to a Camel route, injecting internal “Camel-prefixed” headers that can be used to override configured arguments and execute OS commands. CVE-2026-33454 with a CVSS score of 9.4 – It is an camel-coap component maps CoAP URI query parameters directly into Camel message headers without adequate filtering. Attackers can send crafted CoAP requests to inject headers and abuse sensitive producers such as camel-exec or camel-file. CVE-2026-40453 with a CVSS score of 9.9 – It highlights the difficulty of patching class-wide flaws, where non-HTTP strategies such as JMS, Google Pubsub, and CoAP remained affected. Attackers can use non-canonical casing to bypass filters and still achieve RCE.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Apache Camel has disclosed multiple message header injection vulnerabilities that can potentially lead to remote code execution (RCE) in certain deployments. The flaws stem from improper filtering of attacker-controlled headers or request parameters, allowing malicious values to be passed into internal Camel components such as camel-bean, camel-exec, camel-mail, or camel-coap. If vulnerable routes are internet-exposed or process untrusted input, attackers may manipulate route behavior, invoke unintended methods, execute commands, or redirect messages. Organizations using Apache Camel integrations should urgently review exposed services and update to fixed versions. CVE-2026-27172 with a CVSS score of 8.8 – It is a remote code execution vulnerability in Apache Camel’s camel-consul component caused by unsafe deserialization of data from the Consul KV store. An attacker with write access to the Consul KV backend can inject a malicious serialized object that executes code during Camel registry lookups. CVE-2026-40858 with a CVSS score of 8.8 – It is a vulnerability in the Apache Camel camel-infinispan component caused by unsafe deserialization using java.io.ObjectInputStream without input filtering. A crafted serialized object stored in the Infinispan cache can be triggered during aggregation operations such as get or recover. CVE-2026-40048 with a CVSS score of 7.8 – It reveals that the camel-pqc FileBased KeyLifecycle Manager deserializes .key files without restrictions. An attacker can exploit this by planting a “gadget chain” in the .key files, which executes code when the application attempts to load its keys. CVE-2026-33453 with a CVSS score of 10.0 – This flaw in the camel-coap component allows an attacker to send a single CoAP UDP packet to a Camel route, injecting internal “Camel-prefixed” headers that can be used to override configured arguments and execute OS commands. CVE-2026-33454 with a CVSS score of 9.4 – It is an camel-coap component maps CoAP URI query parameters directly into Camel message headers without adequate filtering. Attackers can send crafted CoAP requests to inject headers and abuse sensitive producers such as camel-exec or camel-file. CVE-2026-40453 with a CVSS score of 9.9 – It highlights the difficulty of patching class-wide flaws, where non-HTTP strategies such as JMS, Google Pubsub, and CoAP remained affected. Attackers can use non-canonical casing to bypass filters and still achieve RCE.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Apache Camel to version 4.18.2, 4.14.7 or 4.20.0 or later.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-camel-rce-header-injection-vulnerabilities-guide/