CVE-2026-40453

CVE-2026-40453 is a vulnerability in Apache Camel that stems from an incomplete fix for CVE-2025-27636. The prior patch added case-insensitive filtering via setLowerCase(true) to HttpHeaderFilterStrategy, but omitted this from five other implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. These strategies perform case-sensitive filtering with String.startsWith('Camel'/'camel'), while Camel Exchange stores headers in a case-insensitive map. This allows case-variant internal headers, such as 'CAmelExecCommandExecutable', to bypass filtering and be resolved by downstream components using canonical casing. The issue affects Apache Camel versions from 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0, with a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-178.

An attacker requires producer access to a JMS (or equivalent protocol like CoAP or Google Pub/Sub) broker that feeds into a vulnerable Camel route. By sending messages with case-variant Camel internal headers, the attacker can inject headers that pass the case-sensitive filter but are interpreted case-insensitively downstream. This enables exploitation of header-driven components such as camel-exec for remote code execution or camel-file for arbitrary file writes on the host running the Camel application.

The Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-40453.html recommends upgrading to version 4.20.0 to address the issue. Users on the 4.14.x LTS stream should upgrade to 4.14.6, while those on the 4.18.x stream should upgrade to 4.18.2.