CVE-2026-33454: Apache Camel Header Injection Vulnerability

CVE-2026-33454 Overview

A critical message header injection vulnerability has been discovered in the Apache Camel-Mail component. The vulnerability exists in the MailHeaderFilterStrategy class, which only filters headers in the 'out' direction via setOutFilterStartsWith, while failing to configure filtering for the 'in' direction via setInFilterStartsWith. This asymmetric filtering allows attackers to inject Camel-specific MIME headers into emails that are processed by applications consuming mail through camel-mail (via imap:// or pop3:// protocols), potentially altering the behavior of downstream Camel components.

Critical Impact

Attackers can inject malicious Camel-prefixed headers into emails that bypass input filtering, enabling manipulation of downstream components such as camel-bean, camel-exec, or camel-sql to execute arbitrary commands or alter application behavior.

Affected Products

• Apache Camel versions 3.0.0 to 4.14.5
• Apache Camel versions 4.15.0 to 4.18.0
• Applications using the camel-mail component with IMAP or POP3 consumers

Discovery Timeline

• 2026-04-27 - CVE-2026-33454 published to NVD
• 2026-04-28 - Last updated in NVD database

Technical Details for CVE-2026-33454

Vulnerability Analysis

This vulnerability represents an input validation bypass in Apache Camel's mail processing pipeline. When a Camel application consumes email messages through the camel-mail component using protocols like IMAP or POP3, the incoming messages should have Camel-prefixed headers filtered to prevent injection attacks. However, the MailHeaderFilterStrategy implementation contains an asymmetric configuration flaw where only outbound filtering is properly enabled.

The vulnerability follows the same attack pattern previously addressed in related Apache Camel vulnerabilities (CVE-2025-30177 in camel-undertow, CVE-2025-27636, and CVE-2025-29891), where improper header filtering allows external input to influence internal Camel routing decisions. This is classified under CWE-502 (Deserialization of Untrusted Data) as the unfiltered headers can lead to unsafe processing of attacker-controlled data.

Root Cause

The root cause lies in the incomplete implementation of the MailHeaderFilterStrategy class. While the strategy correctly calls setOutFilterStartsWith to filter Camel-prefixed headers on outbound messages, it omits the corresponding setInFilterStartsWith call for inbound messages. This oversight means that when email messages are consumed, the inbound filter check is skipped entirely, allowing Camel-prefixed MIME headers to be mapped directly into the Exchange without sanitization.

Attack Vector

An attacker can exploit this vulnerability by sending a specially crafted email to a mailbox monitored by a vulnerable Camel application. The email contains malicious Camel-specific headers (such as CamelExecCommandArgs, CamelBeanMethodName, or CamelSqlQuery) embedded as MIME headers. When the camel-mail consumer processes this email, these headers bypass the input filter and are propagated to downstream Camel components.

For instance, if the route passes messages to camel-exec, an injected CamelExecCommandArgs header could modify the command arguments executed on the system. Similarly, camel-sql could be manipulated via injected SQL query parameters, and camel-bean method invocations could be redirected to unintended methods.

Detection Methods for CVE-2026-33454

Indicators of Compromise

• Unusual email messages in monitored mailboxes containing Camel-prefixed MIME headers
• Unexpected command executions or database queries originating from Camel application processes
• Log entries showing unexpected method invocations in camel-bean components
• Anomalous outbound network connections or system calls from mail processing applications

Detection Strategies

• Implement email gateway rules to detect and flag messages containing suspicious Camel* headers
• Enable verbose logging on Camel routes to capture header values being processed
• Deploy application-level intrusion detection to monitor for header injection patterns
• Review audit logs for unexpected component behavior downstream of mail consumers

Monitoring Recommendations

• Monitor Camel application logs for unexpected header values in incoming mail messages
• Set up alerts for unusual process spawns or database queries from mail processing services
• Implement network monitoring for outbound connections from Camel applications to unexpected destinations
• Track system call patterns from processes handling email consumption

How to Mitigate CVE-2026-33454

Immediate Actions Required

• Upgrade Apache Camel to version 4.19.0 or later immediately
• For users on the 4.18.x LTS stream, upgrade to version 4.18.1
• For users on the 4.14.x LTS stream, upgrade to version 4.14.6
• Audit all Camel routes that consume mail via IMAP or POP3 for potential exposure

Patch Information

Apache has released security patches addressing this vulnerability. Users should upgrade to the following fixed versions:

For detailed patch information and upgrade instructions, refer to the Apache Camel Security Advisory.

Workarounds

• Implement a custom HeaderFilterStrategy that explicitly filters Camel-prefixed headers on inbound messages
• Add email pre-processing to strip any headers matching the Camel* pattern before mail reaches the Camel consumer
• Restrict mailbox access to trusted senders only if possible
• Consider isolating mail-consuming Camel applications in sandboxed environments until patching is complete

# Configuration example - Custom header filter in Camel route
# Add explicit header filtering for inbound mail processing
# Ensure CAMEL_OPTS includes security-hardened filter configuration
export CAMEL_OPTS="-Dcamel.component.mail.headerFilterStrategy=customSecureFilterStrategy"

# Verify Apache Camel version after upgrade
mvn dependency:tree | grep camel-mail
# Expected output should show version 4.19.0, 4.18.1, or 4.14.6+