CVE-2026-33453

Apache · Camel

The Apache Camel CoAP component lacks header filtering, allowing unauthenticated attackers to inject headers and achieve Remote Code Execution (RCE) via sensitive producers.

Executive summary

An unauthenticated remote code execution vulnerability in the Apache Camel CoAP component allows attackers to inject malicious headers via UDP packets to compromise host systems.

Vulnerability

This vulnerability is an improper control of object attributes resulting from a lack of HeaderFilterStrategy in the camel-coap component. An unauthenticated attacker can send crafted CoAP UDP packets to inject headers that cause downstream producers (e.g., camel-exec) to execute arbitrary OS commands.

Business impact

With a CVSS score of 10.0, this represents a critical risk to any environment running the CoAP component. Successful exploitation grants an attacker full command execution privileges under the service account running the Camel process, potentially leading to total system compromise, exfiltration of sensitive data, and complete loss of service availability.

Remediation

Immediate Action: Upgrade to Apache Camel versions 4.18.1 or 4.19.0 immediately to implement necessary header filtering.

Proactive Monitoring: Monitor network traffic for CoAP packets (default port 5683) and review system logs for suspicious process spawning or command-line activity originating from the Java process.

Compensating Controls: Since CoAP is UDP-based, traditional HTTP WAFs are ineffective; network-level access control lists (ACLs) should be used to restrict access to the CoAP port to authorized sources only.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

This vulnerability is of the highest severity and requires immediate remediation. Because CoAP lacks native authentication and the attack surface is exposed via UDP, any internet-facing or internally accessible CoAP endpoint is at extreme risk until patched.