Description
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component.

The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied through the `CamelDoclingCustomArguments` exchange header (a List<String>) were appended to that argument list with insufficient validation: the original implementation relied on a denylist of disallowed flags and only rejected path values that contained a literal `../` sequence. As a result, a Camel route that forwards externally-influenced data into the `CamelDoclingCustomArguments` header (or into the path-bearing headers used to build the invocation) could cause the producer to pass unrecognized or unintended `docling` CLI flags to the subprocess, and could supply path-like argument values that resolved outside the intended directory through traversal sequences not caught by the literal `../` check. Because Camel itself builds the `docling` invocation from these values, the component is responsible for constraining them, and the weak validation allowed CLI-argument injection and directory traversal in the arguments passed to the external tool. The invocation uses the list-based form of ProcessBuilder, so a shell does not interpret the argument values; OS command injection through shell metacharacters was not possible, and the metacharacter rejection added by the fix is defense-in-depth.
This issue affects Apache Camel: from 4.15.0 before 4.18.3.

Users are recommended to upgrade to a release that contains the CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 (and later releases such as 4.20.0). For users on the 4.18.x LTS releases stream, upgrade to 4.18.3. The fix replaces the denylist with a strict allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, and rejecting producer-managed flags such as the output-directory flags), defensively rejects shell metacharacters in argument values, and normalizes path-like values with Path.normalize() before validating them so that traversal sequences which bypass a literal `../` check are detected. As defence in depth, route authors should avoid mapping untrusted message content into the `CamelDoclingCustomArguments` header and the path-bearing headers, and should strip Camel-internal headers from messages that arrive from untrusted producers.
Published: 2026-07-06
Score: 9.1 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel’s Docling component builds an argument list for the external `docling` command using a custom header, `CamelDoclingCustomArguments`. The original implementation relied on a denylist of forbidden flags and only checked for a literal `../` sequence in path values. As a result, a Camel route that accepts untrusted data could inject unsupported `docling` flags or craft path‑like arguments that traverse outside the intended directory. The injected arguments may alter the behavior of the external process and potentially expose or modify files that are not part of the intended workspace, compromising the integrity and confidentiality of the system that runs Camel.

Affected Systems

The flaw exists in Apache Camel versions from 4.15.0 up to, but not including, 4.18.3. Users on the 4.18.x long‑term support line are affected until they apply the 4.18.3 update. Versions 4.19.0 and later already contain the CAMEL-23212 fix.

Risk and Exploitability

The EPSS score is reported as < 1%, indicating a very low probability that this vulnerability will be actively exploited. The vulnerability is not listed in the CISA KEV catalog. The CVSS score of 9.1 indicates high severity, reflecting potential complete compromise of confidentiality, integrity, and availability if exploited. The exposed ability to inject unsupported `docling` flags and perform directory traversal could allow an attacker to manipulate or read files outside the intended workspace, thereby compromising the system that runs Camel. The attack requires injection of data into the `CamelDoclingCustomArguments` header or related path headers; therefore, proper authentication, authorization, and input validation diminish the likelihood.

Generated by OpenCVE AI on July 7, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to version 4.18.3 or later (including 4.19.0 and beyond) to apply the CAMEL‑23212 fix.
  • If you are running the 4.18.x LTS stream, apply the 4.18.3 update immediately.
  • Review Camel routes that use the Docling component and remove any boundaries that forward untrusted message content into the `CamelDoclingCustomArguments` header or the path‑bearing headers; strip internal Camel headers from messages originating from external producers.

Generated by OpenCVE AI on July 7, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
References
Metrics threat_severity

None

threat_severity

Moderate


Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Apache Camel Docling component. The camel-docling component invokes the external `docling` command-line tool by assembling an argument list in DoclingProducer and executing it through java.lang.ProcessBuilder. Custom CLI arguments supplied through the `CamelDoclingCustomArguments` exchange header (a List<String>) were appended to that argument list with insufficient validation: the original implementation relied on a denylist of disallowed flags and only rejected path values that contained a literal `../` sequence. As a result, a Camel route that forwards externally-influenced data into the `CamelDoclingCustomArguments` header (or into the path-bearing headers used to build the invocation) could cause the producer to pass unrecognized or unintended `docling` CLI flags to the subprocess, and could supply path-like argument values that resolved outside the intended directory through traversal sequences not caught by the literal `../` check. Because Camel itself builds the `docling` invocation from these values, the component is responsible for constraining them, and the weak validation allowed CLI-argument injection and directory traversal in the arguments passed to the external tool. The invocation uses the list-based form of ProcessBuilder, so a shell does not interpret the argument values; OS command injection through shell metacharacters was not possible, and the metacharacter rejection added by the fix is defense-in-depth. This issue affects Apache Camel: from 4.15.0 before 4.18.3. Users are recommended to upgrade to a release that contains the CAMEL-23212 fix. On the mainline the fix is included from Apache Camel 4.19.0 (and later releases such as 4.20.0). For users on the 4.18.x LTS releases stream, upgrade to 4.18.3. The fix replaces the denylist with a strict allowlist of recognized `docling` CLI flags (rejecting any unrecognized flag, and rejecting producer-managed flags such as the output-directory flags), defensively rejects shell metacharacters in argument values, and normalizes path-like values with Path.normalize() before validating them so that traversal sequences which bypass a literal `../` check are detected. As defence in depth, route authors should avoid mapping untrusted message content into the `CamelDoclingCustomArguments` header and the path-bearing headers, and should strip Camel-internal headers from messages that arrive from untrusted producers.
Title Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argument injection and path traversal in DoclingProducer
Weaknesses CWE-88
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T18:49:25.326Z

Reserved: 2026-04-08T16:19:46.829Z

Link: CVE-2026-40047

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:00.160Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-06T07:46:57Z

Links: CVE-2026-40047 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T18:00:06Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')