CVE-2026-33453
Published: 27 April 2026
Summary
CVE-2026-33453 is a critical-severity Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915) vulnerability in Apache Camel. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
Apache Camel's camel-coap component contains an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability (CWE-915) that permits arbitrary Camel message header injection. The flaw exists because CamelCoapResource.handleRequest() copies every entry from OptionSet.getUriQuery() into the Exchange In headers via setHeader() without invoking any HeaderFilterStrategy; the component neither extends DefaultHeaderFilterStrategyEndpoint nor implements HeaderFilterStrategyComponent. Affected releases are Apache Camel 4.14.0–4.14.5, 4.18.0 before 4.18.1, and 4.19.0.
An unauthenticated remote attacker who can reach the CoAP UDP listener (default port 5683) can inject headers prefixed with Camel* by sending a single crafted CoAP request containing URI query parameters. When the route subsequently delivers the exchange to a header-sensitive producer such as camel-exec, camel-sql, camel-bean or template components, the injected headers override endpoint configuration; with camel-exec this results in arbitrary operating-system command execution under the Camel process privileges, with command output returned directly in the CoAP response.
The Apache Camel security advisory and the oss-security posting both state that the issue is resolved in versions 4.18.1 and 4.19.0; users are advised to upgrade. The reported CVSS score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). The associated EPSS score remains flat at 0.0744 with no material increase after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25816
Vulnerability details
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The…
more
camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables exploitation of a public-facing CoAP application component for unauthenticated remote access (T1190). It directly facilitates arbitrary OS command execution through header injection into camel-exec and similar producers (T1059).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the root cause by requiring validation and filtering of CoAP URI query parameters before they are copied into Camel Exchange headers via setHeader().
Enforces information-flow rules that would have prevented arbitrary Camel* headers from being injected into the Exchange and reaching header-sensitive producers such as camel-exec.
Would have enforced access-control policy on dynamically set message attributes, denying the unauthorized header modifications performed in CamelCoapResource.handleRequest().