CVE-2026-33454: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
AI Analysis
Technical Summary
The vulnerability arises because the Camel-Mail component's custom header filter strategy only filters outbound headers but does not filter inbound headers. Consequently, when consuming mail via protocols like IMAP or POP3, inbound Camel-prefixed MIME headers are mapped into the Camel Exchange without filtering. An attacker capable of delivering email to the monitored mailbox can inject malicious Camel-specific headers that influence the behavior of downstream components such as camel-bean, camel-exec, or camel-sql. This vulnerability is related to CWE-502 (Deserialization of Untrusted Data) and is similar to previously addressed issues in other Camel components. The affected versions are Apache Camel from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1. Upgrades to 4.14.6, 4.18.1, or 4.19.0 fix the issue.
Potential Impact
An attacker who can send email to a mailbox consumed by a vulnerable Apache Camel application can inject specially crafted Camel-prefixed MIME headers. These headers can manipulate the behavior of downstream Camel components, potentially leading to unintended execution paths or actions within the application. The impact depends on the downstream components and route configurations but may include unauthorized command execution or data manipulation within the Camel routes.
Mitigation Recommendations
Users should upgrade Apache Camel to version 4.19.0 to fully address this vulnerability. If using the 4.18.x LTS release stream, upgrade to 4.18.1. If using the 4.14.x LTS release stream, upgrade to 4.14.6. These versions include the necessary fixes to properly filter inbound Camel-prefixed MIME headers. No other mitigation or temporary workaround is specified in the advisory.
CVE-2026-33454: CWE-502 Deserialization of Untrusted Data in Apache Software Foundation Apache Camel
Description
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the Camel-Mail component's custom header filter strategy only filters outbound headers but does not filter inbound headers. Consequently, when consuming mail via protocols like IMAP or POP3, inbound Camel-prefixed MIME headers are mapped into the Camel Exchange without filtering. An attacker capable of delivering email to the monitored mailbox can inject malicious Camel-specific headers that influence the behavior of downstream components such as camel-bean, camel-exec, or camel-sql. This vulnerability is related to CWE-502 (Deserialization of Untrusted Data) and is similar to previously addressed issues in other Camel components. The affected versions are Apache Camel from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1. Upgrades to 4.14.6, 4.18.1, or 4.19.0 fix the issue.
Potential Impact
An attacker who can send email to a mailbox consumed by a vulnerable Apache Camel application can inject specially crafted Camel-prefixed MIME headers. These headers can manipulate the behavior of downstream Camel components, potentially leading to unintended execution paths or actions within the application. The impact depends on the downstream components and route configurations but may include unauthorized command execution or data manipulation within the Camel routes.
Mitigation Recommendations
Users should upgrade Apache Camel to version 4.19.0 to fully address this vulnerability. If using the 4.18.x LTS release stream, upgrade to 4.18.1. If using the 4.14.x LTS release stream, upgrade to 4.14.6. These versions include the necessary fixes to properly filter inbound Camel-prefixed MIME headers. No other mitigation or temporary workaround is specified in the advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-03-20T09:46:41.656Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef33a6ba26a39fba154125
Added to database: 4/27/2026, 10:00:06 AM
Last enriched: 4/27/2026, 10:15:59 AM
Last updated: 4/28/2026, 1:44:55 AM
Views: 7
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.