CVE-2026-33454
Apache · Camel
The Camel-Mail component fails to properly filter inbound MIME headers, allowing attackers to inject Camel-specific headers that can alter downstream application behavior.
Executive summary
A critical message header injection vulnerability in Apache Camel allows unauthenticated attackers to manipulate application routing and potentially execute unauthorized operations.
Vulnerability
This is a message header injection vulnerability occurring in the MailHeaderFilterStrategy component. The flaw arises because inbound filter checks are skipped, allowing an unauthenticated attacker to inject malicious headers into the Exchange when the application processes email via IMAP or POP3.
Business impact
The ability to inject headers that influence downstream components like camel-bean or camel-exec poses a severe risk to system integrity. With a CVSS score of 9.4, this vulnerability could be leveraged to alter business logic, gain unauthorized access to data, or facilitate remote execution of processes, leading to significant operational disruption and data exposure.
Remediation
Immediate Action: Upgrade to Apache Camel version 4.19.0, or apply the specific security patches 4.14.6 or 4.18.1 depending on your current release stream.
Proactive Monitoring: Inspect application logs for unexpected header configurations or anomalous execution requests originating from the mail consumer components.
Compensating Controls: Ensure that mail servers and application gateways are strictly configured to inspect incoming traffic and sanitize MIME headers before they reach the Camel consumer.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical severity of this header injection flaw, administrators must prioritize patching affected Camel instances immediately. Failure to update allows potential attackers to manipulate the internal message exchange, which may result in full system compromise.