CVE-2026-40453
Published: 27 April 2026
Summary
CVE-2026-40453 is a critical-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Apache Camel. Its CVSS base score is 9.9 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 40.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates incoming JMS, CoAP, and Pub/Sub message headers case-insensitively to block injection of case-variant Camel internal headers like 'CAmelExecCommandExecutable' before they reach downstream components.
Restricts headers prefixed with 'Camel' or 'camel' case-insensitively from untrusted message producers to prevent bypass of the vulnerable case-sensitive filtering in non-HTTP HeaderFilterStrategy implementations.
Provides timely flaw remediation by upgrading Apache Camel to patched versions (e.g., 4.20.0, 4.14.6, or 4.18.2) that apply case-insensitive filtering to all affected HeaderFilterStrategy implementations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of Camel components via messaging brokers for RCE (camel-exec command execution) and arbitrary file writes, directly facilitating T1210 and T1059.
NVD Description
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in…
more
camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Deeper analysisAI
CVE-2026-40453 is a vulnerability in Apache Camel that stems from an incomplete fix for CVE-2025-27636. The prior patch added case-insensitive filtering via setLowerCase(true) to HttpHeaderFilterStrategy, but omitted this from five other implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. These strategies perform case-sensitive filtering with String.startsWith('Camel'/'camel'), while Camel Exchange stores headers in a case-insensitive map. This allows case-variant internal headers, such as 'CAmelExecCommandExecutable', to bypass filtering and be resolved by downstream components using canonical casing. The issue affects Apache Camel versions from 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0, with a CVSS v3.1 score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-178.
An attacker requires producer access to a JMS (or equivalent protocol like CoAP or Google Pub/Sub) broker that feeds into a vulnerable Camel route. By sending messages with case-variant Camel internal headers, the attacker can inject headers that pass the case-sensitive filter but are interpreted case-insensitively downstream. This enables exploitation of header-driven components such as camel-exec for remote code execution or camel-file for arbitrary file writes on the host running the Camel application.
The Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-40453.html recommends upgrading to version 4.20.0 to address the issue. Users on the 4.14.x LTS stream should upgrade to 4.14.6, while those on the 4.18.x stream should upgrade to 4.18.2.
Details
- CWE(s)