Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46584

CVE-2026-46584: Apache Camel Information Disclosure Issue

CVE-2026-46584 is an information disclosure vulnerability in Apache Camel Mail Component that exposes sensitive data through improper input validation. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-46584 Overview

CVE-2026-46584 is an improper input validation vulnerability [CWE-20] in the Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scans outgoing Exchange messages for headers in the mail.smtp.* and mail.smtps.* namespace. When such headers exist, the producer builds a per-message JavaMail sender with those values, overriding the endpoint configuration. No HeaderFilterStrategy blocks this Camel-internal namespace, so untrusted inbound protocols such as platform-http, JMS, or Kafka can inject these headers into any route that ends in an smtp or smtps producer.

Critical Impact

On Apache Camel versions before 4.19.0, attackers can set mail.smtp.host to redirect SMTP traffic to attacker-controlled servers, exfiltrating the endpoint's configured SMTP credentials. On 4.19.0 and later, the impact is limited to weakening transport security and message interception.

Affected Products

  • Apache Camel 4.0.0 through 4.14.7
  • Apache Camel 4.15.0 through 4.18.2
  • Apache Camel 4.19.0 through 4.20.x (limited impact)

Discovery Timeline

  • 2026-07-06 - CVE-2026-46584 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-46584

Vulnerability Analysis

The Apache Camel Mail Component allows per-message override of JavaMail session properties through message headers. The MailProducer.getSender method inspects the outgoing Exchange for any header in the mail.smtp.* or mail.smtps.* namespace. When present, the producer constructs a new JavaMail sender using those header values as session properties, bypassing the endpoint's configured values.

The root design assumption was that this namespace is Camel-internal and only consumed by MailProducer. However, no default HeaderFilterStrategy strips these headers, so any inbound protocol can carry them end-to-end through a route.

Root Cause

The vulnerability stems from missing input validation and the absence of a header filter for the mail.smtp.* and mail.smtps.* namespace. The producer trusts message headers as configuration input without verifying their origin. Any route that channels untrusted input (query parameters, HTTP headers, JMS payloads, Kafka records) into a mail producer without an intervening removeHeaders step is exposed.

Attack Vector

On releases before 4.19.0, an attacker injects mail.smtp.host (and optionally mail.smtp.port) via an untrusted ingress. The producer then opens the SMTP connection to the attacker's server and authenticates using the endpoint's configured username and password, transmitting those credentials to the attacker.

On 4.19.0 and later, the producer explicitly connects to the endpoint's configured host. The remaining attack surface is limited to headers such as mail.smtp.ssl.trust, mail.smtp.starttls.enable, or mail.smtp.socks.host, which can weaken transport security or route the connection through an attacker-controlled proxy to intercept outbound messages.

The vulnerability manifests through header propagation from untrusted producers into the mail component. See the Apache Camel CVE-2026-46584 Advisory for technical details.

Detection Methods for CVE-2026-46584

Indicators of Compromise

  • Outbound SMTP connections from Camel application hosts to unexpected external destinations.
  • Log entries showing mail.smtp.host, mail.smtp.port, or mail.smtps.host values differing from configured endpoint values.
  • Presence of mail.smtp.* or mail.smtps.* headers in messages arriving from external protocols (HTTP, JMS, Kafka).
  • Unexpected authentication failures or successes recorded on the legitimate SMTP relay.

Detection Strategies

  • Audit all Camel routes that terminate in smtp or smtps producers and confirm whether untrusted ingress feeds them.
  • Inspect application logs for JavaMail session property overrides at message send time.
  • Baseline outbound SMTP destinations from application servers and alert on deviations.
  • Scan dependency manifests for vulnerable camel-mail versions across the affected ranges.

Monitoring Recommendations

  • Enable egress network monitoring for SMTP traffic (TCP 25, 465, 587) leaving Camel workloads.
  • Alert on TLS downgrades or plaintext SMTP handshakes to previously unseen hosts.
  • Log inbound request headers and message properties on routes feeding mail producers.

How to Mitigate CVE-2026-46584

Immediate Actions Required

  • Upgrade Apache Camel to 4.21.0, or to the LTS fix 4.14.8, or to 4.18.3 on the 4.18.x stream.
  • Inventory all routes that end in smtp or smtps producers and identify untrusted upstream sources.
  • Rotate any SMTP credentials configured on endpoints that may have been exposed on pre-4.19.0 deployments.
  • Insert removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between untrusted ingress and mail producers.

Patch Information

Upgrade to Apache Camel 4.21.0, 4.18.3, or 4.14.8 depending on your release stream. After upgrading, the per-message override is disabled by default. Enable it only on trusted endpoints by setting useJavaMailSessionPropertiesFromHeaders=true. Even with the opt-in enabled, strip the mail.smtp.* and mail.smtps.* namespaces on any route path that carries untrusted input. Refer to the Apache Camel CVE-2026-46584 Advisory for full patch details.

Workarounds

  • Add removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') in every route between untrusted ingress and any smtp/smtps producer.
  • Apply a custom HeaderFilterStrategy that blocks the mail.smtp. and mail.smtps. prefixes at protocol component boundaries.
  • Restrict outbound SMTP egress at the network layer to only approved relay hosts.
bash
# Configuration example - strip mail namespace headers before the mail producer
from("platform-http:/submit")
    .removeHeaders("mail.smtp.*")
    .removeHeaders("mail.smtps.*")
    .to("smtp://relay.example.com?username=svc&password=RAW(...)");

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.