CVE-2026-49099: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in Apache Software Foundation Apache Camel Salesforce
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.
AI Analysis
Technical Summary
The Apache Camel Salesforce component improperly neutralizes special elements in output used by downstream components, specifically in how it resolves operation parameters from Exchange message headers. Headers such as sObjectQuery, sObjectSearch, sObjectName, sObjectId, apexUrl, and apexMethod are not prefixed with the Camel namespace and thus pass through HttpHeaderFilterStrategy unchecked. This allows an HTTP client to override intended Salesforce operation parameters in routes bridging HTTP consumers to salesforce: producers, potentially executing arbitrary SOQL/SOSL queries or Apex REST calls with the connected Salesforce user's permissions. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.21.0 respectively. Mitigation includes upgrading to these versions or removing vulnerable headers from untrusted ingress traffic and using Camel-prefixed header names.
Potential Impact
An attacker can bypass intended authorization controls by injecting or overriding Salesforce operation parameters via HTTP headers, enabling unauthorized data queries, modifications, or Apex REST calls executed with the full permissions of the connected Salesforce integration user. No attacker credentials are required if the bridging HTTP consumer is unauthenticated, increasing the risk of unauthorized access or destructive operations within the Salesforce environment connected to Apache Camel.
Mitigation Recommendations
A fix is available. Users should upgrade to Apache Camel Salesforce versions 4.14.8, 4.18.3, or 4.21.0 depending on their release stream. After upgrading, routes must use Camel-prefixed header names (e.g., CamelSalesforceSObjectQuery) instead of the vulnerable raw header names (e.g., sObjectQuery). For deployments unable to upgrade immediately, remove the vulnerable Salesforce control headers (such as those starting with sObject* and apex*) from untrusted ingress before the salesforce: producer in the route configuration to prevent header injection.
CVE-2026-49099: CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in Apache Software Foundation Apache Camel Salesforce
Description
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.
Affected software
pkg:maven/Apache Software Foundation/org.apache.camel:camel-salesforceRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Apache Camel Salesforce component improperly neutralizes special elements in output used by downstream components, specifically in how it resolves operation parameters from Exchange message headers. Headers such as sObjectQuery, sObjectSearch, sObjectName, sObjectId, apexUrl, and apexMethod are not prefixed with the Camel namespace and thus pass through HttpHeaderFilterStrategy unchecked. This allows an HTTP client to override intended Salesforce operation parameters in routes bridging HTTP consumers to salesforce: producers, potentially executing arbitrary SOQL/SOSL queries or Apex REST calls with the connected Salesforce user's permissions. The vulnerability affects Apache Camel versions from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, and from 4.19.0 before 4.21.0. The issue is fixed in versions 4.14.8, 4.18.3, and 4.21.0 respectively. Mitigation includes upgrading to these versions or removing vulnerable headers from untrusted ingress traffic and using Camel-prefixed header names.
Potential Impact
An attacker can bypass intended authorization controls by injecting or overriding Salesforce operation parameters via HTTP headers, enabling unauthorized data queries, modifications, or Apex REST calls executed with the full permissions of the connected Salesforce integration user. No attacker credentials are required if the bridging HTTP consumer is unauthenticated, increasing the risk of unauthorized access or destructive operations within the Salesforce environment connected to Apache Camel.
Mitigation Recommendations
A fix is available. Users should upgrade to Apache Camel Salesforce versions 4.14.8, 4.18.3, or 4.21.0 depending on their release stream. After upgrading, routes must use Camel-prefixed header names (e.g., CamelSalesforceSObjectQuery) instead of the vulnerable raw header names (e.g., sObjectQuery). For deployments unable to upgrade immediately, remove the vulnerable Salesforce control headers (such as those starting with sObject* and apex*) from untrusted ingress before the salesforce: producer in the route configuration to prevent header injection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-05-27T11:46:24.688Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
- Is Cloud Service
- true
Threat ID: 6a4b6cb027e9c7971925268f
Added to database: 07/06/2026, 08:52:00 UTC
Last enriched: 07/06/2026, 09:07:19 UTC
Last updated: 07/07/2026, 02:22:11 UTC
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.