CVE-2026-46584: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Mail
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.
AI Analysis
Technical Summary
The vulnerability in Apache Camel Mail arises from the MailProducer.getSender method scanning outgoing messages for headers in the mail.smtp. and mail.smtps. namespaces and applying them as JavaMail session properties, overriding endpoint configurations. This namespace is internal to Camel and not filtered by default, allowing untrusted input from various protocols to influence SMTP producer behavior. In versions before 4.19.0, this can redirect SMTP connections to attacker-controlled servers, exposing configured credentials. In versions 4.19.0 up to but not including 4.21.0, the SMTP host is fixed, limiting the impact to weakening transport security settings and potential message interception. Exploitation requires a route that allows untrusted input to reach the mail producer without removing these headers. The vulnerability affects Apache Camel versions 4.0.0 up to but excluding 4.14.8, 4.15.0 up to but excluding 4.18.3, and 4.19.0 up to but excluding 4.21.0. The issue is resolved in version 4.21.0, with additional fixes in 4.14.8 and 4.18.3 for LTS streams. After upgrading, the per-message override feature is disabled by default and should only be enabled on trusted endpoints. For those unable to upgrade immediately, removing mail.smtp.* and mail.smtps.* headers from untrusted inputs before the mail producer is recommended.
Potential Impact
Before version 4.19.0, attackers can redirect SMTP connections to servers under their control and capture the endpoint's configured username and password, leading to credential exposure. From version 4.19.0 to before 4.21.0, the SMTP host is fixed, so the impact is limited to weakening transport security parameters and potential interception of outgoing messages. Exploitation requires specific routing configurations that allow untrusted input to influence mail producer headers without filtering. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in Apache Camel version 4.21.0, with additional fixes in 4.14.8 and 4.18.3 for LTS releases. Users should upgrade to these versions to resolve the vulnerability. After upgrading, the per-message JavaMail session property override is disabled by default and should only be enabled on trusted endpoints by setting useJavaMailSessionPropertiesFromHeaders=true. For environments that cannot upgrade immediately, it is recommended to strip the mail.smtp.* and mail.smtps.* namespaces from untrusted inputs before they reach the mail producer by using removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*'). Even when the override feature is enabled, route authors should ensure untrusted inputs do not carry these namespaces.
CVE-2026-46584: CWE-20 Improper Input Validation in Apache Software Foundation Apache Camel Mail
Description
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.
CVSS v3.1
Score 3.7low
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-mailRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Apache Camel Mail arises from the MailProducer.getSender method scanning outgoing messages for headers in the mail.smtp. and mail.smtps. namespaces and applying them as JavaMail session properties, overriding endpoint configurations. This namespace is internal to Camel and not filtered by default, allowing untrusted input from various protocols to influence SMTP producer behavior. In versions before 4.19.0, this can redirect SMTP connections to attacker-controlled servers, exposing configured credentials. In versions 4.19.0 up to but not including 4.21.0, the SMTP host is fixed, limiting the impact to weakening transport security settings and potential message interception. Exploitation requires a route that allows untrusted input to reach the mail producer without removing these headers. The vulnerability affects Apache Camel versions 4.0.0 up to but excluding 4.14.8, 4.15.0 up to but excluding 4.18.3, and 4.19.0 up to but excluding 4.21.0. The issue is resolved in version 4.21.0, with additional fixes in 4.14.8 and 4.18.3 for LTS streams. After upgrading, the per-message override feature is disabled by default and should only be enabled on trusted endpoints. For those unable to upgrade immediately, removing mail.smtp.* and mail.smtps.* headers from untrusted inputs before the mail producer is recommended.
Potential Impact
Before version 4.19.0, attackers can redirect SMTP connections to servers under their control and capture the endpoint's configured username and password, leading to credential exposure. From version 4.19.0 to before 4.21.0, the SMTP host is fixed, so the impact is limited to weakening transport security parameters and potential interception of outgoing messages. Exploitation requires specific routing configurations that allow untrusted input to influence mail producer headers without filtering. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in Apache Camel version 4.21.0, with additional fixes in 4.14.8 and 4.18.3 for LTS releases. Users should upgrade to these versions to resolve the vulnerability. After upgrading, the per-message JavaMail session property override is disabled by default and should only be enabled on trusted endpoints by setting useJavaMailSessionPropertiesFromHeaders=true. For environments that cannot upgrade immediately, it is recommended to strip the mail.smtp.* and mail.smtps.* namespaces from untrusted inputs before they reach the mail producer by using removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*'). Even when the override feature is enabled, route authors should ensure untrusted inputs do not carry these namespaces.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-15T07:52:46.176Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a4b6cac27e9c797192522a4
Added to database: 07/06/2026, 08:51:56 UTC
Last enriched: 07/06/2026, 09:09:08 UTC
Last updated: 07/06/2026, 23:08:04 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.