Red Hat has issued a critical security advisory for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27, releasing update RHBQ 3.27.3.SP2. This update addresses five vulnerabilities: CVE-2026-42403 and CVE-2026-42402 in Apache Neethi causing denial of service via circular policy references and algorithmic complexity in policy normalization; CVE-2026-42404 in Apache Neethi allowing information disclosure and network access bypass via the PolicyReference API; CVE-2026-40453 in Apache Camel (camel-google-pubsub and camel-jms components) enabling remote code execution and arbitrary file write via case-variant header injection; and CVE-2026-33454 in Camel-Mail causing altered application behavior via header injection. The advisory confirms the availability of an update to remediate these issues and recommends backing up existing installations before applying the update.

The vulnerabilities collectively enable denial of service conditions, information disclosure, network access bypass, remote code execution, arbitrary file writes, and altered application behavior in affected components of Apache Camel and Apache Neethi. These impacts can compromise the security and stability of applications using the affected Red Hat Build of Apache Camel 4.14 for Quarkus 3.27. No known exploits in the wild have been reported at this time.

A security update (RHBQ 3.27.3.SP2) is available from Red Hat to address these vulnerabilities. Users should back up their existing installations, including applications, configuration files, and databases, before applying the update. Applying this official update will remediate the identified security issues. No additional mitigation steps are indicated in the vendor advisory.