Cyber Resilience

CVE-2026-47323

CriticalUpdated

Published: 19 May 2026

Published
19 May 2026
Modified
27 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0143 69.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-47323 is a critical-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Apache Camel. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound filtering via setInFilterStartsWith.…

more

As a result, an unauthenticated attacker can inject Camel-internal headers (e.g. CamelExecCommandExecutable, CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints. When a route forwards messages from these endpoints to header-driven components such as camel-exec or camel-file, the injected headers override configured values, enabling remote code execution or arbitrary file writes. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177), the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and non-HTTP strategies (CVE-2026-40453). This issue affects Apache Camel: from 3.18.0 before 4.14.6, from 4.15.0 before 4.18.2. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.2. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Header injection into public CXF/Knative HTTP endpoints (T1190) allows direct override of CamelExec* headers, resulting in arbitrary command execution via camel-exec (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33453Same product: Apache Camel
CVE-2025-27636Same product: Apache Camel
CVE-2026-40453Same product: Apache Camel
CVE-2026-25747Same product: Apache Camel
CVE-2026-33454Same product: Apache Camel
CVE-2026-40473Same product: Apache Camel
CVE-2026-40860Same product: Apache Camel
CVE-2026-23552Same product: Apache Camel
CVE-2026-40022Same product: Apache Camel
CVE-2026-40858Same product: Apache Camel

Affected Assets

apache
camel
3.18.0 — 4.14.6 · 4.15.0 — 4.18.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References