CVE-2026-33454
Published: 27 April 2026
Description
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result,…
more
when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of all incoming information, including email headers from IMAP/POP3, to block injection of malicious Camel-prefixed MIME headers into the Exchange.
Mandates timely flaw remediation through upgrades to patched Apache Camel versions (e.g., 4.19.0) that properly configure inbound header filtering.
Restricts untrusted information inputs like Camel-specific headers from external email sources to prevent their mapping into downstream Camel components.
Security SummaryAI
CVE-2026-33454 is a Camel message header injection vulnerability in the Camel-Mail component of Apache Camel. The custom header filter strategy (MailHeaderFilterStrategy) only filters headers in the 'out' direction via setOutFilterStartsWith, while neglecting the 'in' direction via setInFilterStartsWith. Consequently, when a Camel application consumes mail through camel-mail—such as via from("imap://...") or from("pop3://...")—inbound filter checks are skipped, allowing Camel-prefixed MIME headers to be mapped unfiltered into the Exchange. This issue affects Apache Camel versions from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1, and is classified under CWE-502 with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
An attacker who can deliver an email to a mailbox monitored by a vulnerable Camel-mail consumer can exploit this flaw by injecting Camel-specific headers. These injected headers can alter the behavior of downstream Camel components, such as camel-bean, camel-exec, or camel-sql, potentially leading to unauthorized code execution, data manipulation, or other route hijacking. The attack requires no privileges and can be performed over the network with low complexity, mirroring patterns addressed in prior vulnerabilities like CVE-2025-30177 (camel-undertow) and CVE-2025-27636/CVE-2025-29891 (incoming-header filters).
The Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-33454.html recommends upgrading to version 4.19.0 to remediate the issue. Users on the 4.18.x LTS stream should upgrade to 4.18.1, while those on the 4.14.x LTS stream should upgrade to 4.14.6.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote exploitation of a network-accessible Camel-mail consumer endpoint via malicious email headers, leading to route hijacking, code execution, or data manipulation, directly mapping to T1190: Exploit Public-Facing Application.