CVE-2026-40453: CWE-178 Improper Handling of Case Sensitivity in Apache Software Foundation Apache Camel JMS
CVE-2026-40453 is a critical vulnerability in Apache Camel JMS where improper handling of case sensitivity in header filtering allows attackers with JMS producer access to inject case-variant internal headers. This can lead to remote code execution and arbitrary file writes on routes forwarding JMS messages to header-driven components. The issue affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.
AI Analysis
Technical Summary
The vulnerability arises because the fix for a previous issue (CVE-2025-27636) applied case-insensitive filtering only to HTTP HeaderFilterStrategy implementations but not to five non-HTTP HeaderFilterStrategy implementations including JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy. These non-HTTP strategies use case-sensitive filtering on header names starting with 'Camel' or 'camel', while the Camel Exchange stores headers in a case-insensitive map. This mismatch allows an attacker with JMS producer access to inject headers with variant casing that bypass filtering and are later resolved by downstream components using canonical casing, enabling remote code execution and arbitrary file writes. The vulnerability affects Apache Camel JMS in specified version ranges and is fixed in versions 4.14.6, 4.18.2, and 4.20.0.
Potential Impact
An attacker with JMS or equivalent producer access to the message broker can exploit this vulnerability to inject specially crafted headers that bypass filtering controls. This can lead to remote code execution and arbitrary file writes on affected Apache Camel routes that forward JMS messages to header-driven components such as camel-exec and camel-file. The CVSS score of 9.9 indicates a critical impact with high confidentiality, integrity, and availability consequences.
Mitigation Recommendations
Users should upgrade affected Apache Camel JMS versions to 4.20.0 or to the appropriate patched LTS versions: 4.14.6 for the 4.14.x stream and 4.18.2 for the 4.18.x stream. There is no indication that temporary workarounds or other mitigations are available. Patch status is confirmed by the vendor advisory recommending these upgrades.
CVE-2026-40453: CWE-178 Improper Handling of Case Sensitivity in Apache Software Foundation Apache Camel JMS
Description
CVE-2026-40453 is a critical vulnerability in Apache Camel JMS where improper handling of case sensitivity in header filtering allows attackers with JMS producer access to inject case-variant internal headers. This can lead to remote code execution and arbitrary file writes on routes forwarding JMS messages to header-driven components. The issue affects Apache Camel versions from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.
CVSS v3.1
Score 9.9critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the fix for a previous issue (CVE-2025-27636) applied case-insensitive filtering only to HTTP HeaderFilterStrategy implementations but not to five non-HTTP HeaderFilterStrategy implementations including JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy. These non-HTTP strategies use case-sensitive filtering on header names starting with 'Camel' or 'camel', while the Camel Exchange stores headers in a case-insensitive map. This mismatch allows an attacker with JMS producer access to inject headers with variant casing that bypass filtering and are later resolved by downstream components using canonical casing, enabling remote code execution and arbitrary file writes. The vulnerability affects Apache Camel JMS in specified version ranges and is fixed in versions 4.14.6, 4.18.2, and 4.20.0.
Potential Impact
An attacker with JMS or equivalent producer access to the message broker can exploit this vulnerability to inject specially crafted headers that bypass filtering controls. This can lead to remote code execution and arbitrary file writes on affected Apache Camel routes that forward JMS messages to header-driven components such as camel-exec and camel-file. The CVSS score of 9.9 indicates a critical impact with high confidentiality, integrity, and availability consequences.
Mitigation Recommendations
Users should upgrade affected Apache Camel JMS versions to 4.20.0 or to the appropriate patched LTS versions: 4.14.6 for the 4.14.x stream and 4.18.2 for the 4.18.x stream. There is no indication that temporary workarounds or other mitigations are available. Patch status is confirmed by the vendor advisory recommending these upgrades.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-13T08:27:50.386Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef291bba26a39fba10e17d
Added to database: 4/27/2026, 9:15:07 AM
Last enriched: 5/5/2026, 7:40:41 AM
Last updated: 6/12/2026, 5:20:03 AM
Views: 74
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.