Vulnerabilities handled in Apache Camel

The Apache Software Foundation has identified vulnerabilities in Apache Camel. These vulnerabilities exist in various components of Apache Camel. The issues include insecure deserialization, insufficient filtering of email headers, incorrect authentication path matching, and improper processing o...

Apache Camel's Camel-Mail component is vulnerable to Camel message header injection

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component MailHeaderFilterStrategy only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a...

CVE-2026-33454 Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component MailHeaderFilterStrategy only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a...

CVE-2026-40453

The fix for CVE-2025-27636 added setLowerCasetrue to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCasetrue call was not applied to five non-HTTP HeaderFilterStrategy...

Apache Camel 代码问题漏洞

Apache Camel is an open-source integration framework based on the Enterprise Integration Pattern EIP, developed by the Apache Foundation in the United States. This framework provides implementations of Java objects following the EIP pattern and allows routing and mediation rules to be configured...

br.com.senior:crm-http-camel-api (>=0.0.2-alpha <=0.0.81-alpha), br.com.senior:novasoft-http-camel-api (>=0.0.3-alpha <=0.0.93-alpha) +3130 more potentially affected by CVE-2025-27636 +1 more via org.apache.camel:camel-support (>=3.10.0 <=3.22.3)

org.apache.camel:camel-support MAVEN version =3.10.0, =0.0.2-alpha, =0.0.3-alpha, =0.0.1-alpha, =1.0.0, =0.0.1-alpha, =0.0.1-alpha, =0.0.1-alpha, =0.0.1-alpha, =0.0.1-alpha, =0.0.1-alpha, =0.0.1-alpha, =18.4.0, =18.4.0, =24.17.0 - com.approvaltests:approvaltests-util-tests =18.4.0 and more Source...

GHSA-X9FV-C87W-55WC Improper Control of Generation of Code in Apache Camel

Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arbitrary simple language expressions by including "$simple" in a CamelFileName message header to a 1 FILE or 2 FTP producer...

camel: DNS Rebinding in JMX Connector could result in remote command execution

Apache Camel's JMX is vulnerable to Rebind Flaw. Apache Camel 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 is affected. Users should upgrade to 3.2.0...

JVN#71498764: Apache Camel vulnerable to XML external entity injection (XXE)

Apache Camel provided by The Apache Software Foundation contains an XML external entity injection XXE vulnerability CWE-611 due to using an outdated vulnerable JSON-lib library. Impact By processing a specially crafted request, an arbitrary file on the server may be read. Solution Update the...

ca.islandora.sync:islandora-sync-gateway (>=0.0.1 <=0.0.2), com.data-artisans:flakka-sample-camel-java_2.10 (=2.3-custom) +172 more potentially affected by CVE-2015-5348 via org.apache.camel:camel-http (>=1.2.0 <=2.15.4)

org.apache.camel:camel-http MAVEN version =1.2.0, =0.0.1, =1.0, =2.3.7, =1.0, =2.3.7, =2.1.0, =2.1.0-RC4, =2.1.0-RC6 and more Source cves: CVE-2015-5348 Source advisory: OSV:GHSA-26V6-W6FW-RH94...