CVE-2026-33453
Published: 27 April 2026
Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The…
more
camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
Mitigating Controls (NIST 800-53 r5)AI
Remediates the header injection flaw in camel-coap by applying vendor patches to upgrade Apache Camel to fixed versions like 4.18.1 or later.
Validates and sanitizes CoAP URI query parameters prior to mapping them into Camel Exchange headers to block injection of malicious Camel-prefixed headers.
Restricts or disables unnecessary header-sensitive producers like camel-exec or the camel-coap component to limit exploitation pathways.
Security SummaryAI
CVE-2026-33453 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CWE-915) in the Apache Camel camel-coap component. The issue arises because the component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy, specifically in CamelCoapResource.handleRequest() which iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader() for each parameter. This enables Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers such as camel-exec, camel-sql, camel-bean, camel-file, or template components like camel-freemarker and camel-velocity. The vulnerability affects Apache Camel versions from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, and 4.19.0, with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
An unauthenticated attacker can exploit this vulnerability by sending a single CoAP UDP datagram to a Camel route consuming from coap:// on the target CoAP port (default 5683). The injected headers, particularly those prefixed with Camel*, override producer behavior; for example, CamelExecCommandExecutable and CamelExecCommandArgs headers in camel-exec allow arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload, providing an interactive remote code execution channel without out-of-band exfiltration. Exploitation prerequisites are minimal, as CoAP (RFC 7252) lacks built-in authentication, DTLS is optional and disabled by default, and the UDP nature bypasses HTTP-layer WAF/IDS controls.
The Apache Camel security advisory and related announcements recommend upgrading to version 4.18.1 or 4.19.0, which address the issue by fixing the header injection in the camel-coap component. Additional details are available in the official advisory at https://camel.apache.org/security/CVE-2026-33453.html and the oss-security mailing list post at http://www.openwall.com/lists/oss-security/2026/04/26/3.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing CoAP application component for unauthenticated remote access (T1190). It directly facilitates arbitrary OS command execution through header injection into camel-exec and similar producers (T1059).