CVE-2026-40047: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Apache Software Foundation Apache Camel
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied through the `CamelDoclingCustomArguments` exchange header (a List<String>) were appended to that argument list with insufficient validation: the original implementation relied on a denylist of disallowed flags and only rejected path values that contained a literal `../` sequence. As a result, a Camel route that forwards externally-influenced data into the `CamelDoclingCustomArguments` header (or into the path-bearing headers used to build the invocation) could cause the producer to pass unrecognized or unintended `docling` CLI flags to the subprocess, and could supply path-like argument values that resolved outside the intended directory through traversal sequences not caught by the literal `../` check. Because Camel itself builds the `docling` invocation from these values, the component is responsible for constraining them, and the weak validation allowed CLI-argument injection and directory traversal in the arguments passed to the external tool. The invocation uses the list-based form of ProcessBuilder, so a shell does not interpret the argument values; OS command injection through shell metacharacters was not possible, and the metacharacter rejection added by the fix is defense-in-depth. This issue affects Apache Camel: from 4.15.0 before 4.18.3. Users are recommended to upgrade to a release that contains the CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 (and later releases such as 4.20.0). For users on the 4.18.x LTS releases stream, upgrade to 4.18.3. The fix replaces the denylist with a strict allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, and rejecting producer-managed flags such as the output-directory flags), defensively rejects shell metacharacters in argument values, and normalizes path-like values with Path.normalize() before validating them so that traversal sequences which bypass a literal `../` check are detected. As defence in depth, route authors should avoid mapping untrusted message content into the `CamelDoclingCustomArguments` header and the path-bearing headers, and should strip Camel-internal headers from messages that arrive from untrusted producers.
AI Analysis
Technical Summary
The vulnerability in Apache Camel's DoclingProducer arises from improper neutralization of argument delimiters (CWE-88) when assembling command-line arguments for the external docling tool. The component previously relied on a denylist and a simplistic check for '../' sequences to validate arguments, which was insufficient to prevent injection of unrecognized CLI flags and directory traversal via path-like arguments. Because the invocation uses ProcessBuilder's argument list form, shell command injection is not possible, but argument injection and directory traversal remain risks. The fix, included from version 4.18.3 and mainline 4.19.0 onward, implements a strict allowlist of recognized flags, rejects shell metacharacters defensively, and normalizes paths to detect traversal sequences. Route authors are also advised to avoid passing untrusted data into the vulnerable headers.
Potential Impact
An attacker able to influence the CamelDoclingCustomArguments header or path-bearing headers in Apache Camel routes could cause the DoclingProducer to pass unintended CLI flags or directory traversal paths to the external docling tool. This may lead to unexpected behavior or processing of files outside intended directories. However, OS command injection via shell metacharacters is not possible due to the use of ProcessBuilder's argument list form. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available and included in Apache Camel version 4.18.3 and later (including mainline 4.19.0 and 4.20.0). Users should upgrade to these versions to address the vulnerability. The fix replaces the denylist with a strict allowlist of recognized docling CLI flags, rejects shell metacharacters in arguments, and normalizes paths to detect traversal sequences. Additionally, route authors should avoid mapping untrusted message content into the CamelDoclingCustomArguments header and related path-bearing headers, and strip Camel-internal headers from messages originating from untrusted sources as defense in depth.
CVE-2026-40047: CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in Apache Software Foundation Apache Camel
Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied through the `CamelDoclingCustomArguments` exchange header (a List<String>) were appended to that argument list with insufficient validation: the original implementation relied on a denylist of disallowed flags and only rejected path values that contained a literal `../` sequence. As a result, a Camel route that forwards externally-influenced data into the `CamelDoclingCustomArguments` header (or into the path-bearing headers used to build the invocation) could cause the producer to pass unrecognized or unintended `docling` CLI flags to the subprocess, and could supply path-like argument values that resolved outside the intended directory through traversal sequences not caught by the literal `../` check. Because Camel itself builds the `docling` invocation from these values, the component is responsible for constraining them, and the weak validation allowed CLI-argument injection and directory traversal in the arguments passed to the external tool. The invocation uses the list-based form of ProcessBuilder, so a shell does not interpret the argument values; OS command injection through shell metacharacters was not possible, and the metacharacter rejection added by the fix is defense-in-depth. This issue affects Apache Camel: from 4.15.0 before 4.18.3. Users are recommended to upgrade to a release that contains the CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 (and later releases such as 4.20.0). For users on the 4.18.x LTS releases stream, upgrade to 4.18.3. The fix replaces the denylist with a strict allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, and rejecting producer-managed flags such as the output-directory flags), defensively rejects shell metacharacters in argument values, and normalizes path-like values with Path.normalize() before validating them so that traversal sequences which bypass a literal `../` check are detected. As defence in depth, route authors should avoid mapping untrusted message content into the `CamelDoclingCustomArguments` header and the path-bearing headers, and should strip Camel-internal headers from messages that arrive from untrusted producers.
CVSS v3.1
Score 9.1critical
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-doclingRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel's DoclingProducer arises from improper neutralization of argument delimiters (CWE-88) when assembling command-line arguments for the external docling tool. The component previously relied on a denylist and a simplistic check for '../' sequences to validate arguments, which was insufficient to prevent injection of unrecognized CLI flags and directory traversal via path-like arguments. Because the invocation uses ProcessBuilder's argument list form, shell command injection is not possible, but argument injection and directory traversal remain risks. The fix, included from version 4.18.3 and mainline 4.19.0 onward, implements a strict allowlist of recognized flags, rejects shell metacharacters defensively, and normalizes paths to detect traversal sequences. Route authors are also advised to avoid passing untrusted data into the vulnerable headers.
Potential Impact
An attacker able to influence the CamelDoclingCustomArguments header or path-bearing headers in Apache Camel routes could cause the DoclingProducer to pass unintended CLI flags or directory traversal paths to the external docling tool. This may lead to unexpected behavior or processing of files outside intended directories. However, OS command injection via shell metacharacters is not possible due to the use of ProcessBuilder's argument list form. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available and included in Apache Camel version 4.18.3 and later (including mainline 4.19.0 and 4.20.0). Users should upgrade to these versions to address the vulnerability. The fix replaces the denylist with a strict allowlist of recognized docling CLI flags, rejects shell metacharacters in arguments, and normalizes paths to detect traversal sequences. Additionally, route authors should avoid mapping untrusted message content into the CamelDoclingCustomArguments header and related path-bearing headers, and strip Camel-internal headers from messages originating from untrusted sources as defense in depth.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-08T16:19:46.829Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6caa27e9c797192521b0
Added to database: 07/06/2026, 08:51:54 UTC
Last enriched: 07/06/2026, 09:22:32 UTC
Last updated: 07/07/2026, 00:16:47 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.