CVE-2026-33454

CriticalRCE

Published: 27 April 2026

Published

27 April 2026

Modified

28 April 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0022 44.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33454 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Camel. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of all incoming information, including email headers from IMAP/POP3, to block injection of malicious Camel-prefixed MIME headers into the Exchange.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation through upgrades to patched Apache Camel versions (e.g., 4.19.0) that properly configure inbound header filtering.

SI-9 Information Input Restrictions good match

prevent

Restricts untrusted information inputs like Camel-specific headers from external email sources to prevent their mapping into downstream Camel components.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability enables remote exploitation of a network-accessible Camel-mail consumer endpoint via malicious email headers, leading to route hijacking, code execution, or data manipulation, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result,…

when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

Deeper analysisAI

CVE-2026-33454 is a Camel message header injection vulnerability in the Camel-Mail component of Apache Camel. The custom header filter strategy (MailHeaderFilterStrategy) only filters headers in the 'out' direction via setOutFilterStartsWith, while neglecting the 'in' direction via setInFilterStartsWith. Consequently, when a Camel application consumes mail through camel-mail—such as via from("imap://...") or from("pop3://...")—inbound filter checks are skipped, allowing Camel-prefixed MIME headers to be mapped unfiltered into the Exchange. This issue affects Apache Camel versions from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1, and is classified under CWE-502 with a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

An attacker who can deliver an email to a mailbox monitored by a vulnerable Camel-mail consumer can exploit this flaw by injecting Camel-specific headers. These injected headers can alter the behavior of downstream Camel components, such as camel-bean, camel-exec, or camel-sql, potentially leading to unauthorized code execution, data manipulation, or other route hijacking. The attack requires no privileges and can be performed over the network with low complexity, mirroring patterns addressed in prior vulnerabilities like CVE-2025-30177 (camel-undertow) and CVE-2025-27636/CVE-2025-29891 (incoming-header filters).

The Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-33454.html recommends upgrading to version 4.19.0 to remediate the issue. Users on the 4.18.x LTS stream should upgrade to 4.18.1, while those on the 4.14.x LTS stream should upgrade to 4.14.6.

Details

CWE(s): CWE-502

Affected Products

apache

camel

3.0.0 — 4.14.6 · 4.15.0 — 4.18.1

CVEs Like This One

CVE-2026-40860Same product: Apache Camel

CVE-2026-25747Same product: Apache Camel

CVE-2026-40473Same product: Apache Camel

CVE-2026-40858Same product: Apache Camel

CVE-2026-27172Same product: Apache Camel

CVE-2025-27636Same product: Apache Camel

CVE-2026-40048Same product: Apache Camel

CVE-2026-23552Same product: Apache Camel

CVE-2026-33453Same product: Apache Camel

CVE-2026-40022Same product: Apache Camel

References

https://camel.apache.org/security/CVE-2026-33454.html
Vendor Advisory · security@apache.org