Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.2%top 94%

CVE-2026-46456: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel

0
Critical
VulnerabilityCVE-2026-46456cvecve-2026-46456cwe-20
Published: 07/06/2026 (07/06/2026, 07:56:51 UTC)
Source: CVE Database V5
Vendor/Project: Apache Software Foundation
Product: Apache Camel

Description

Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and restrict who may send to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy.

CVSS v3.1

Score 9.8critical

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected software

Apache Software Foundation/org.apache.camel:camel-aws2-sqs
pkg:maven/Apache Software Foundation/org.apache.camel:camel-aws2-sqs
Affected versions
>=4.0.0 <4.14.8>=4.15.0 <4.18.3>=4.19.0 <4.21.0

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/06/2026, 09:09:28 UTC

Technical Analysis

The Apache Camel AWS2-SQS component improperly validates inbound message attributes by not filtering Camel internal control headers during inbound mapping. Specifically, the Sqs2HeaderFilterStrategy only configured outbound filtering but lacked inbound filtering, causing DefaultHeaderFilterStrategy to allow all headers, including Camel internal headers like CamelHttpUri, CamelFileName, and CamelSqlQuery, to be copied unmodified into the Camel Exchange. This enables any principal with sqs:SendMessage permission on the consumed SQS queue to inject headers that can alter downstream route behavior, such as redirecting HTTP producers or changing file names. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The issue is fixed by adding inbound header filtering that blocks Camel header namespaces case-insensitively. Users are advised to upgrade to 4.21.0 or the appropriate LTS patch versions 4.14.8 or 4.18.3. For those unable to upgrade immediately, removing Camel headers at the start of the route and restricting SQS send permissions are recommended mitigations.

Potential Impact

An attacker able to send messages to the affected SQS queue can inject arbitrary Camel internal control headers into the message exchange. This can influence the behavior of downstream producers in the route, potentially redirecting HTTP requests, modifying file names, or overriding SQL queries. The exact impact depends on the route configuration and which producers are used. This could lead to unauthorized actions or data manipulation within the application processing the messages.

Mitigation Recommendations

A fix is available in Apache Camel versions 4.14.8, 4.18.3, and 4.21.0, which add inbound header filtering to block Camel internal headers. Users should upgrade to these versions to remediate the vulnerability. For deployments unable to upgrade immediately, it is recommended to strip Camel control headers from inbound messages at the start of the route (e.g., using removeHeaders('Camel*') and removeHeaders('camel*')) and to restrict sqs:SendMessage permissions on the SQS queue to only trusted principals following the least-privilege principle.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
apache
Date Reserved
2026-05-14T08:59:11.779Z
Cvss Version
null
State
PUBLISHED
Remediation Level
null
Is Cloud Service
true

Threat ID: 6a4b6cac27e9c7971925229e

Added to database: 07/06/2026, 08:51:56 UTC

Last enriched: 07/06/2026, 09:09:28 UTC

Last updated: 07/06/2026, 23:07:56 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses