Description
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component.

Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec)

The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.  
Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all.

As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process.

The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.
                                                                                                                                                                       
Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply.
This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0.

Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
Published: 2026-04-27
Score: 10 Critical
EPSS: 6.1% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows an attacker to inject arbitrary Camel exchange headers through CoAP URI query parameters, which are then forwarded to header‑sensitive producers such as camel‑exec. The injected headers can override executable commands and arguments, giving the attacker the ability to run arbitrary OS commands on the machine where Camel is running. This results in a full remote code execution scenario with no authentication required on the CoAP endpoint.

Affected Systems

The issue affects Apache Camel’s camel‑coap component. Versions 4.14.0 through 4.14.5, 4.18.0 through 4.18.0 (before 4.18.1), and 4.19.0 have been identified as vulnerable, while newer releases have applied a fix.

Risk and Exploitability

The CVSS score of 10 indicates the highest level of severity, and the EPSS score of 6% indicates a moderate exploitation probability, the vulnerability can still be triggered by a single unauthenticated UDP packet to the default CoAP port 5683. Because the protocol is UDP‑based and lacks default authentication, WAFs that filter HTTP traffic are ineffective. The vulnerability is not listed in CISA’s KEV catalog, but the injection can provide an interactive RCE channel without out‑of‑band exfiltration.

Generated by OpenCVE AI on May 22, 2026 at 15:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to version 4.18.1 or 4.19.0 or later to apply the vendor’s fix.
  • If CoAP traffic is not required, block the CoAP port (default 5683) on the network perimeter to prevent unauthenticated access.
  • Enable DTLS or another authentication mechanism on the CoAP endpoint to guard against unauthenticated packet injection.
  • Restrict access to the CoAP service via firewall rules or network segmentation so that only trusted hosts can reach the port.
  • Implement input validation for header names to mitigate header injection, addressing the CWE‑915 weakness.

Generated by OpenCVE AI on May 22, 2026 at 15:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-695c-x5gc-94gj Apache camel-coap allows header injection that can lead to remote code execution
History

Wed, 06 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:camel:4.18.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*

Tue, 28 Apr 2026 03:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 12:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 10:45:00 +0000

Type Values Removed Values Added
Description Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.   Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.                                                                                                                                                                         Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.
Title Apache Camel: CoAP URI Query Parameter to Exchange Header Injection in camel-coap Allows Single-Packet Pre-Auth Remote Code Execution
Weaknesses CWE-915
References

Subscriptions

Apache Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T03:55:37.203Z

Reserved: 2026-03-20T09:04:24.188Z

Link: CVE-2026-33453

cve-icon Vulnrichment

Updated: 2026-04-27T10:42:54.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T11:16:01.873

Modified: 2026-04-28T19:39:35.267

Link: CVE-2026-33453

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-27T09:58:48Z

Links: CVE-2026-33453 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T16:00:14Z

Weaknesses