CVE-2026-33453 is a critical vulnerability in Apache Camel's camel-coap component where incoming CoAP request URI query parameters are directly mapped into Camel Exchange In message headers without any filtering. This allows an unauthenticated attacker to inject arbitrary Camel internal headers, including those prefixed with Camel*, by sending a single UDP datagram to the CoAP port (default 5683). When these crafted messages reach header-sensitive producers like camel-exec, the attacker can override configured executables and arguments, resulting in remote code execution under the Camel process privileges. The vulnerability stems from the lack of a HeaderFilterStrategy in the component, and the default insecure nature of CoAP (no authentication, optional DTLS disabled). The flaw affects Apache Camel versions 4.14.0 to 4.14.5, 4.18.0 before 4.18.1, and 4.19.0. Fixed versions 4.18.1 and 4.19.0 address this issue.

Successful exploitation allows unauthenticated remote attackers to execute arbitrary operating system commands with the privileges of the Apache Camel process. This leads to complete compromise of the affected system, including confidentiality, integrity, and availability impacts. The attack requires only a single UDP packet to the CoAP service port, which is typically exposed and unauthenticated, making the vulnerability highly exploitable. The vulnerability enables an interactive remote code execution channel with output returned in the CoAP response, facilitating attacker control without additional exfiltration mechanisms.

Users should upgrade Apache Camel to version 4.18.1 or 4.19.0, where this vulnerability is fixed. No other mitigations are specified or recommended by the vendor. Since this is not a cloud service, remediation depends on applying the official software update. Patch status is confirmed by the vendor advisory recommending these versions. Until patched, disabling or restricting access to the camel-coap component or the CoAP UDP port may reduce exposure.