Apache Camel flaws expose mail, CoAP, JMS, and HTTP routes to RCE and auth bypass
Apache disclosed four vulnerabilities in Apache Camel affecting message handling and request protection across multiple components. The most severe issues, CVE-2026-33453 and CVE-2026-33454, allow attackers to inject Camel internal headers through untrusted inputs that are copied into the Exchange without proper inbound filtering. In camel-coap, a single unauthenticated UDP packet can place arbitrary query parameters into Exchange headers, enabling pre-authentication remote code execution when routes forward data to header-sensitive components such as camel-exec, camel-sql, camel-bean, camel-file, or template processors. In camel-mail, emails received over IMAP or POP3 can carry crafted MIME headers with the Camel prefix that reach downstream components and similarly influence execution, making remote code execution possible in vulnerable deployments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Apache Camel discloses CVE-2026-40453 incomplete fix in header filtering
Apache disclosed an important-severity vulnerability caused by an incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategy implementations including camel-jms, camel-sjms, camel-coap, and camel-google-pubsub. The bug allows case-variant internal header injection that can lead to remote code execution or arbitrary file write in affected routes.
Apache Camel discloses CVE-2026-40022 auth bypass in camel-platform-http-main
Apache disclosed a moderate-severity authentication bypass in camel-platform-http-main affecting non-root context paths when the authentication path is not explicitly set. The flaw can expose protected routes and management endpoints, and Apache recommended upgrading affected 4.14.x and 4.18.x releases.
Apache Camel discloses CVE-2026-33454 in camel-mail
Apache disclosed an important-severity flaw in camel-mail where inbound MIME headers are not filtered, allowing attackers to inject Camel-specific headers via email and potentially trigger downstream remote code execution. Apache said affected versions include 3.0.0 before 4.14.6 and 4.15.0 before 4.18.1, and credited Hyunwoo Kim.
Apache Camel discloses CVE-2026-33453 in camel-coap
Apache disclosed a high-severity vulnerability in the camel-coap component that allows CoAP URI query parameters to be injected into Camel Exchange headers, enabling single-packet pre-authentication RCE in vulnerable routes. The issue affects camel-coap 4.14.0 through 4.14.5, 4.18.0 before 4.18.1, and 4.19.0, and was credited to Hyunwoo Kim.
Apache Camel fixes camel-coap header filtering issue in supported branches
Apache Camel resolved a camel-coap issue in JIRA where CoAP query parameters were mapped to Camel Exchange headers without a HeaderFilterStrategy. The fix was released in versions 4.14.6 and 4.18.1 and tracked through coordinated pull requests across supported branches.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CVE-2026-33454 - Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)
cvefeed.io
Open sourceCVE-2026-33453 - Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution
cvefeed.io
Open sourceoss-sec: CVE-2026-33453: Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution
seclists.org
Open sourceoss-sec: CVE-2026-33454: Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)
seclists.org
Open sourceoss-sec: CVE-2026-40453: Apache Camel: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection
seclists.org
Open sourceoss-sec: CVE-2026-40022: Apache Camel: Camel-Platform-HTTP-Main: Authentication Bypass on Non-Root Context Paths in camel main runtime
seclists.org
Open source[CAMEL-23222] camel-coap: Integrate HeaderFilterStrategy for CoAP query parameter to header mapping - ASF Jira
issues.apache.org
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Apache Camel Deserialization Flaws Expose JMS, Mina, and Infinispan Deployments to RCE
Apache disclosed three unsafe deserialization vulnerabilities in **Apache Camel** that can lead to remote code execution in deployments using `camel-mina`, JMS-related components, and `camel-infinispan`. **CVE-2026-40473** affects `camel-mina`, where `MinaConverter.toObjectInput()` wraps network-supplied TCP or UDP data in `java.io.ObjectInputStream` without `ObjectInputFilter` or class-loading restrictions; a crafted serialized Java object can execute during `readObject()`. **CVE-2026-40860** affects `camel-jms`, `camel-sjms`, `camel-sjms2`, and `camel-amqp`, where Camel deserializes JMS `ObjectMessage` payloads through `ObjectMessage.getObject()` with the default `mapJmsMessage` option enabled and without filtering or allow/deny lists, allowing an attacker who can publish to a consumed queue or topic to trigger code execution if a gadget chain is present. Apache also disclosed **CVE-2026-40858** in `camel-infinispan`, where the ProtoStream-based remote aggregation repository deserializes data from a remote Infinispan cache using `java.io.ObjectInputStream` without an input filter; an attacker able to write to the cache can inject a malicious serialized object that executes during normal `get` or `recover` operations. The affected versions span multiple Camel release lines, including `3.0.0` and later for the JMS issue, `3.0.0` and later for `camel-mina`, and `4.0.0` and later for `camel-infinispan`, with fixes released in **4.20.0** and backported to supported streams including **4.14.6/4.14.7** and **4.18.2**. Apache tracks the flaws as `CAMEL-23319`, `CAMEL-23321`, and `CAMEL-23322`, with reports credited to researchers from **Securin** and **Innora Pte. Ltd.**
Apr 27, 2026
Apache Tomcat auth bypass and Apache CXF JMS RCE flaw disclosed
Apache disclosed **CVE-2026-43512**, a moderate-severity authentication bypass in Tomcat's DIGEST authenticator that can let any user unknown to the configured Realm authenticate if the supplied password is `"null"`. The flaw affects multiple supported branches, including Tomcat `11.0.0-M1` through `11.0.21`, `10.1.0-M1` through `10.1.54`, and `9.0.0.M1` through `9.0.117`, with older unsupported releases potentially affected. Apache advised users to upgrade to `11.0.22+`, `10.1.55+`, or `9.0.118+`. Apache also disclosed **CVE-2026-44417**, a moderate-severity flaw in the JMS transport component of Apache CXF caused by an incomplete fix for **CVE-2025-48913**. The remaining vulnerable code path can still lead to remote code execution when untrusted users are allowed to configure JMS. Affected releases include CXF JMS transport `4.2.0` before `4.2.1`, `4.0.0` before `4.1.6`, and all `3.6.x` versions before `3.6.11`; Apache said organizations should upgrade to `4.2.1`, `4.1.6`, or `3.6.11`.
May 25, 2026
Apache Camel Camel-PQC Unsafe Deserialization Enables Code Execution
Apache disclosed **CVE-2026-40048**, an unsafe deserialization flaw in the Camel-PQC component of Apache Camel that can lead to arbitrary code execution. The vulnerability is in `FileBasedKeyLifecycleManager`, which deserializes `<keyId>.key` files with `java.io.ObjectInputStream` without `ObjectInputFilter` or class-loading restrictions, allowing malicious `readObject()` behavior to run before the data is cast to `java.security.KeyPair`. An attacker who can place a crafted file in the configured key directory—through path traversal, weak filesystem permissions, a compromised key provisioning pipeline, or a symlink attack—could execute code in the context of the Camel application. The issue affects `org.apache.camel:camel-pqc` versions **4.19.0 before 4.20.0** and **4.18.0 before 4.18.2**. Apache fixed the flaw by replacing `ObjectInputStream`-based key and metadata storage with **PKCS#8** and **X.509 SubjectPublicKeyInfo** Base64 JSON encoding, and advised users to upgrade to **4.20.0** or **4.18.2** on the 4.18.x LTS line. Apache credited Andrea Cosentino of the Apache Software Foundation and Venkatraman Kumar of Securin with discovering the vulnerability.
May 25, 2026