CVE-2026-33453: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Software Foundation Apache Camel
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
AI Analysis
Technical Summary
Apache Camel's camel-coap component improperly controls modification of dynamically-determined object attributes by mapping incoming CoAP URI query parameters directly into Camel Exchange In message headers without applying any header filtering strategy. This allows an unauthenticated attacker to inject arbitrary Camel internal headers, including those prefixed with Camel*, into the Exchange. When such a message is routed to header-sensitive producers like camel-exec, the injected headers can override configured executable commands and arguments, resulting in remote code execution under the Camel process privileges. The vulnerability is exploitable via a single UDP datagram to the default CoAP port (5683), which lacks built-in authentication and typically does not use DTLS. The issue affects Apache Camel versions 4.14.0 through 4.14.5, 4.18.0 before 4.18.1, and 4.19.0. Upgrading to 4.18.1 or 4.19.0 mitigates the vulnerability.
Potential Impact
An unauthenticated attacker can achieve remote code execution on systems running vulnerable versions of Apache Camel by sending a single malicious CoAP UDP packet. This allows execution of arbitrary OS commands with the privileges of the Camel process. The attack also provides an interactive channel as the output of the executed commands is returned in the CoAP response. Because CoAP is UDP-based and typically unauthenticated, and because HTTP-layer protections do not apply, the vulnerability is highly accessible to attackers who can reach the CoAP service.
Mitigation Recommendations
A fix is available by upgrading Apache Camel to version 4.18.1 or 4.19.0, which address this vulnerability. Users should apply these updates promptly. No other vendor advisory or patch information is provided, so patch status beyond these versions is not confirmed. Until upgraded, users should consider restricting network access to the CoAP port (default 5683) to trusted sources and enabling DTLS if possible to mitigate unauthenticated access.
CVE-2026-33453: CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes in Apache Software Foundation Apache Camel
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Apache Camel's camel-coap component improperly controls modification of dynamically-determined object attributes by mapping incoming CoAP URI query parameters directly into Camel Exchange In message headers without applying any header filtering strategy. This allows an unauthenticated attacker to inject arbitrary Camel internal headers, including those prefixed with Camel*, into the Exchange. When such a message is routed to header-sensitive producers like camel-exec, the injected headers can override configured executable commands and arguments, resulting in remote code execution under the Camel process privileges. The vulnerability is exploitable via a single UDP datagram to the default CoAP port (5683), which lacks built-in authentication and typically does not use DTLS. The issue affects Apache Camel versions 4.14.0 through 4.14.5, 4.18.0 before 4.18.1, and 4.19.0. Upgrading to 4.18.1 or 4.19.0 mitigates the vulnerability.
Potential Impact
An unauthenticated attacker can achieve remote code execution on systems running vulnerable versions of Apache Camel by sending a single malicious CoAP UDP packet. This allows execution of arbitrary OS commands with the privileges of the Camel process. The attack also provides an interactive channel as the output of the executed commands is returned in the CoAP response. Because CoAP is UDP-based and typically unauthenticated, and because HTTP-layer protections do not apply, the vulnerability is highly accessible to attackers who can reach the CoAP service.
Mitigation Recommendations
A fix is available by upgrading Apache Camel to version 4.18.1 or 4.19.0, which address this vulnerability. Users should apply these updates promptly. No other vendor advisory or patch information is provided, so patch status beyond these versions is not confirmed. Until upgraded, users should consider restricting network access to the CoAP port (default 5683) to trusted sources and enabling DTLS if possible to mitigate unauthenticated access.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-20T09:04:24.188Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef3e3cba26a39fba196b2e
Added to database: 4/27/2026, 10:45:16 AM
Last enriched: 4/27/2026, 11:00:43 AM
Last updated: 4/27/2026, 11:55:58 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.