Description
The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891).

This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1.

Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
Published: 2026-04-27
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Camel‑Mail component in Apache Camel allows an attacker to inject custom MIME headers, which are not filtered on inbound traffic due to a missing input filter configuration. This may cause downstream components such as camel-bean, camel-exec, or camel-sql to interpret these headers maliciously, enabling arbitrary code execution. The vulnerability involves both CWE‑1173 (Header Injection) and CWE‑502 (Deserialization For Remote Code Execution).

Affected Systems

Apache Camel versions 3.0.0 through 4.14.5 and 4.15.0 through 4.18.0 are affected. Versions before 4.14.6, before 4.18.1, and before 4.19.0 contain the vulnerable inbound header filter logic.

Risk and Exploitability

The CVSS score of 9.4 indicates critical severity, while the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The most likely attack vector is sending a malicious email to a mailbox monitored by a Camel mail consumer, allowing the attacker to inject the harmful header and gain control. Successful exploitation would compromise confidentiality, integrity, and availability by enabling arbitrary code execution within the Camel application’s runtime environment.

Generated by OpenCVE AI on May 1, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Camel version 4.19.0 or later
  • If on the 4.18.x LTS stream, upgrade to 4.18.1
  • If on the 4.14.x LTS stream, upgrade to 4.14.6

Generated by OpenCVE AI on May 1, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2vqf-x7g4-7c2g Apache Camel's Camel-Mail component is vulnerable to Camel message header injection
History

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1173
References
Metrics threat_severity

None

 threat_severity

Critical

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 04:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Description The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the 'out' direction via setOutFilterStartsWith, while it does not configure the 'in' direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6.
Title Apache Camel: Inbound Header Filter Missing in MailHeaderFilterStrategy Allows Remote Code Execution via MIME Header Injection (CVE-2025-30177 Variant)
Weaknesses CWE-502
References

Subscriptions

Apache Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-27T14:57:50.182Z

Reserved: 2026-03-20T09:46:41.656Z

Link: CVE-2026-33454

cve-icon Vulnrichment

Updated: 2026-04-27T14:55:55.217Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T10:16:07.853

Modified: 2026-04-28T19:42:14.580

Link: CVE-2026-33454

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-27T09:42:39Z

Links: CVE-2026-33454 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses