CVE-2026-40453 Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection

🗓️ 27 Apr 2026 08:23:20Reported by apacheType

Fix incomplete non-HTTP header filtering to prevent case-variant header injection.

Reporter	Title	Published	Views	Family All 32
ATTACKERKB	CVE-2026-47323	19 May 202612:25	–	attackerkb
ATTACKERKB	CVE-2026-40453	27 Apr 202608:23	–	attackerkb
Chainguard	CVE-2026-40453 vulnerabilities	23 May 202607:17	–	cgr
Circl	CVE-2026-40453	26 Apr 202619:06	–	circl
CNNVD	Apache Camel 安全漏洞	27 Apr 202600:00	–	cnnvd
CVE	CVE-2026-40453	27 Apr 202608:23	–	cve
EUVD	EUVD-2026-25791	27 Apr 202608:23	–	euvd
Github Security Blog	Apache Camel has an incomplete fix for CVE-2025-27636	27 Apr 202609:34	–	github
NCSC	Vulnerabilities handled in Apache Camel	29 Apr 202608:12	–	ncsc
NVD	CVE-2026-40453	27 Apr 202609:16	–	nvd

[
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.camel:camel-jms",
    "product": "Apache Camel JMS",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.14.6",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.18.2",
        "status": "affected",
        "version": "4.15.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.20.0",
        "status": "affected",
        "version": "4.19.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.camel:camel-coap",
    "product": "Apache Camel CoAP",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.14.6",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.18.2",
        "status": "affected",
        "version": "4.15.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.20.0",
        "status": "affected",
        "version": "4.19.0",
        "versionType": "semver"
      }
    ]
  },
  {
    "collectionURL": "https://repo.maven.apache.org/maven2",
    "defaultStatus": "unaffected",
    "packageName": "org.apache.camel:camel-google-pubsub",
    "product": "Apache Camel Google PubSub",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThan": "4.14.6",
        "status": "affected",
        "version": "3.0.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.18.2",
        "status": "affected",
        "version": "4.15.0",
        "versionType": "semver"
      },
      {
        "lessThan": "4.20.0",
        "status": "affected",
        "version": "4.19.0",
        "versionType": "semver"
      }
    ]
  }
]

Source	Link
camel	www.camel.apache.org/security/CVE-2026-40453.html

27 Apr 2026 08:23Current

EPSS0.00228

CWE-178