CVE-2026-46454 Overview
CVE-2026-46454 is an improper input validation vulnerability [CWE-20] in the Apache Camel camel-cometd component. The component copies inbound Bayeux (CometD) message headers directly into the Camel Exchange without applying a HeaderFilterStrategy. This allows unauthenticated clients to inject Camel-internal control headers such as CamelHttpUri, CamelFileName, or CamelJmsDestinationName. Because CometdComponent installs no Bayeux SecurityPolicy by default, any client completing the Bayeux handshake can publish malicious headers. The injected headers propagate across direct, seda, and vm hops, influencing downstream producers in the route.
Critical Impact
Remote unauthenticated attackers can inject Camel control headers to redirect HTTP producers, overwrite files, or reroute JMS messages in affected Camel routes.
Affected Products
- Apache Camel 4.0.0 through 4.14.7
- Apache Camel 4.15.0 through 4.18.2
- Apache Camel 4.19.0 through 4.20.x
Discovery Timeline
- 2026-07-06 - CVE-2026-46454 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-46454
Vulnerability Analysis
Apache Camel is an integration framework that routes messages between components using an Exchange abstraction. The camel-cometd component provides Bayeux protocol support for real-time web messaging. The vulnerability resides in CometdBinding.populateExchangeFromMessage, which converts inbound CometD messages into Camel Exchanges.
The binding copies the entire ext.CamelHeaders map supplied by the client directly onto the Camel message using message.setHeaders. No filtering distinguishes protocol headers from Camel-internal control headers. Client-supplied Camel* and camel* headers therefore reach downstream producers unchanged. The concrete impact depends on which producers the route uses, but includes HTTP redirection, arbitrary file writes, and JMS destination hijacking.
Root Cause
The component was missing a HeaderFilterStrategy implementation. A long-standing TODO in the source code acknowledged the gap. Camel's other components filter the reserved Camel* / camel* namespace on inbound mapping, but camel-cometd did not. This design gap allows externally supplied headers to occupy the same namespace as internal routing directives.
Attack Vector
An attacker completes the Bayeux handshake against an exposed CometD endpoint. Because CometdComponent provisions no default SecurityPolicy, no authentication is required. The attacker publishes a Bayeux message containing an ext.CamelHeaders map with keys such as CamelHttpUri set to an attacker-controlled URL. When the route hands the Exchange to an HTTP producer, the producer honors the injected CamelHttpUri and issues the request to the attacker's target. The same technique redirects file producers via CamelFileName or JMS producers via CamelJmsDestinationName. Injected headers persist through internal direct, seda, and vm hops, extending the reach of the attack across the route graph.
No verified public exploit code was available at the time of publication. See the Apache Camel CVE-2026-46454 Advisory for technical details.
Detection Methods for CVE-2026-46454
Indicators of Compromise
- Bayeux publish messages to CometD endpoints containing an ext.CamelHeaders object with keys beginning with Camel or camel.
- HTTP producer requests to hosts that do not match the route's configured to("http:...") target URI.
- File producer writes to unexpected paths that differ from the route's static fileName configuration.
- JMS producer traffic to destinations not declared in the deployed route definitions.
Detection Strategies
- Inspect CometD channel subscriptions and publish payloads for the presence of Camel reserved header names in the ext field.
- Enable Camel route tracing or MDC logging to record header maps at the entry of each from("cometd:...") route.
- Compare runtime Exchange headers against a known allowlist derived from the route DSL and alert on unexpected Camel* keys.
Monitoring Recommendations
- Log outbound HTTP, file, and JMS producer targets and alert on deviations from expected values.
- Monitor Bayeux handshake sources for unauthenticated or anomalous client identifiers on production CometD endpoints.
- Track upgrade status of camel-cometd artifacts in dependency inventories and SBOMs.
How to Mitigate CVE-2026-46454
Immediate Actions Required
- Upgrade Apache Camel to 4.21.0 on the main release stream.
- Upgrade to 4.14.8 if running the 4.14.x LTS stream.
- Upgrade to 4.18.3 if running the 4.18.x release stream.
- Restrict network exposure of CometD endpoints to trusted clients until patches are applied.
Patch Information
The fix implements a HeaderFilterStrategy in the camel-cometd binding that filters the Camel header namespace case-insensitively on inbound mapping. After the patch, client-supplied Camel* and camel* headers are no longer copied into the Exchange. Refer to the Apache Camel CVE-2026-46454 Advisory and the Openwall OSS-Security Discussion for full release notes.
Workarounds
- Strip Camel control headers at the start of the route using removeHeaders("Camel*") and removeHeaders("camel*") before any downstream producer runs.
- Install an explicit Bayeux SecurityPolicy on CometdComponent so only authenticated clients can publish or subscribe.
- Terminate CometD traffic behind an authenticating reverse proxy that rejects untrusted publishers.
# Camel route example applying inbound header filtering
from("cometd://0.0.0.0:9090/service/test")
.removeHeaders("Camel*")
.removeHeaders("camel*")
.to("http://backend.internal/process");
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

