CVE-2026-46456

Apache · Camel

Improper input validation in the Apache Camel AWS2-SQS component allows attackers to inject arbitrary control headers, potentially hijacking downstream route behavior.

Executive summary

An input validation flaw in the Apache Camel AWS2-SQS component allows attackers to inject Camel control headers, leading to unauthorized manipulation of downstream application logic.

Vulnerability

The camel-aws2-sqs component fails to filter inbound message attributes, allowing attackers who can send messages to the SQS queue to inject internal control headers. These headers are then processed by downstream producers, potentially redirecting HTTP requests or altering file operations.

Business impact

With a CVSS score of 9.8, this vulnerability poses a severe risk to service integrity and data flow control. By manipulating headers, an attacker can effectively hijack the application's logic, leading to unauthorized data access, file system tampering, or redirection of sensitive traffic to external endpoints.

Remediation

Immediate Action: Upgrade to version 4.21.0, or the applicable LTS stream version (4.14.8 or 4.18.3), which introduces mandatory inbound header filtering.

Proactive Monitoring: Monitor application logs for evidence of unexpected header values or abnormal route behavior. Review SQS access patterns for unauthorized senders.

Compensating Controls: If patching is delayed, explicitly remove all Camel* and camel* headers at the start of the routing process using removeHeaders and enforce strict sqs:SendMessage permissions on the queue.

Exploitation status

Public Exploit Available: false

Analyst recommendation

This vulnerability is highly exploitable if the SQS queue is accessible to untrusted parties. Organizations must prioritize the update to ensure that inbound headers are correctly sanitized, neutralizing the ability for attackers to control internal routing logic.