CVE-2026-47323 Overview
CVE-2026-47323 is a header injection vulnerability in Apache Camel affecting the camel-cxf-rest, camel-cxf-transport, and camel-knative-http components. The flaw exists in three HeaderFilterStrategy implementations: CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy. These strategies configure outbound filtering through setOutFilterStartsWith but omit inbound filtering via setInFilterStartsWith. Unauthenticated attackers can inject Camel-internal headers such as CamelExecCommandExecutable or CamelFileName through HTTP requests to CXF-RS or CXF-SOAP endpoints. When routes forward these messages to header-driven components like camel-exec or camel-file, the injected headers override configured values. The flaw affects Apache Camel versions 3.18.0 through 4.14.5 and 4.15.0 through 4.18.1.
Critical Impact
Unauthenticated remote attackers can achieve remote code execution or arbitrary file writes by injecting Camel-internal headers that override route configurations, with no user interaction required.
Affected Products
- Apache Camel 3.18.0 through versions before 4.14.6
- Apache Camel 4.15.0 through versions before 4.18.2
- Affected components: camel-cxf-rest, camel-cxf-transport, camel-knative-http
Discovery Timeline
- 2026-05-19 - CVE-2026-47323 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-47323
Vulnerability Analysis
The vulnerability stems from incomplete header filtering in Apache Camel's CXF and Knative HTTP transport layers. Camel uses HeaderFilterStrategy implementations to control which headers traverse component boundaries. The affected strategies define filters only for outbound traffic, leaving inbound HTTP headers unfiltered. Attackers exploit this asymmetry by sending HTTP requests containing headers prefixed with Camel to exposed CXF-RS or CXF-SOAP endpoints. These headers propagate into the Camel exchange and persist as the message flows through the route. The classification falls under [CWE-178] Improper Handling of Case Sensitivity, applied here to header name filtering logic.
Root Cause
The CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy classes invoke setOutFilterStartsWith to strip Camel-internal headers from outbound messages but never call setInFilterStartsWith on inbound traffic. This pattern repeats the issue previously fixed in camel-undertow (CVE-2025-30177), the incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453).
Attack Vector
An attacker sends an HTTP request to a CXF-RS or CXF-SOAP endpoint containing crafted headers such as CamelExecCommandExecutable: /bin/sh or CamelFileName: ../../etc/cron.d/payload. The unfiltered headers enter the Camel exchange. When the route forwards the message to camel-exec, the injected CamelExecCommandExecutable value supersedes the configured executable, producing command execution. Routes terminating in camel-file honor the injected CamelFileName, enabling arbitrary file writes outside intended directories. No authentication or user interaction is required when the endpoint is reachable.
See the Apache Camel CVE-2026-47323 Advisory for the official technical breakdown.
Detection Methods for CVE-2026-47323
Indicators of Compromise
- Inbound HTTP requests to CXF-RS or CXF-SOAP endpoints containing headers prefixed with Camel (case-insensitive), particularly CamelExecCommandExecutable, CamelExecArgs, CamelFileName, or CamelHttpUri.
- Unexpected child processes spawned by the Java Virtual Machine running Camel routes.
- Files written to paths outside the configured camel-file producer directory.
Detection Strategies
- Inspect web access logs and reverse proxy logs for HTTP headers beginning with Camel, org.apache.camel, or CamelExec.
- Hunt for process creation events where a Java process is the parent of shells (/bin/sh, cmd.exe) or system utilities.
- Correlate inbound HTTP traffic to Camel endpoints with file system writes by the Camel service account.
Monitoring Recommendations
- Enable verbose request logging on CXF and Knative HTTP listeners and forward logs to a centralized SIEM for retention and search.
- Alert on any HTTP header name matching the regex ^[Cc]amel.* arriving at externally exposed Camel endpoints.
- Monitor outbound network connections from Camel JVMs that deviate from baseline route behavior.
How to Mitigate CVE-2026-47323
Immediate Actions Required
- Upgrade Apache Camel to version 4.19.0, which contains the complete fix.
- Users on the 4.18.x LTS stream must upgrade to 4.18.2.
- Users on the 4.14.x LTS stream must upgrade to 4.14.6.
- Audit existing routes that bridge CXF or Knative HTTP endpoints to camel-exec, camel-file, or other header-driven components and treat them as high-risk until patched.
Patch Information
Apache Camel releases 4.14.6, 4.18.2, and 4.19.0 add setInFilterStartsWith configuration to CxfRsHeaderFilterStrategy, CxfHeaderFilterStrategy, and KnativeHttpHeaderFilterStrategy, ensuring Camel-internal headers are stripped from inbound messages. Patch details are documented in the Apache Camel CVE-2026-47323 Advisory.
Workarounds
- Deploy a custom HeaderFilterStrategy that explicitly calls setInFilterStartsWith("Camel", "org.apache.camel", "camel") and wire it into affected endpoints.
- Place a reverse proxy or Web Application Firewall in front of Camel endpoints to strip any request headers matching Camel* before they reach the application.
- Avoid routes that pass HTTP-derived headers directly into camel-exec, camel-file, or other components that interpret Camel headers as configuration.
# Example WAF rule (ModSecurity) to drop inbound Camel-internal headers
SecRule REQUEST_HEADERS_NAMES "@rx (?i)^camel" \
"id:1047323,phase:1,deny,status:400,\
msg:'Blocked Camel-internal header injection attempt (CVE-2026-47323)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
