Description
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components.

This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0.

Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Published: 2026-04-27
Score: 9.9 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in non‑HTTP HeaderFilterStrategy implementations where a case‑sensitive filter is applied to header names, but the Camel Exchange stores headers case‑insensitively. An attacker who can send messages to the broker used by a Camel route can inject headers with case‑variant names that bypass the filter. The headers are then interpreted by components such as camel‑exec or camel‑file, allowing the attacker to trigger execution of arbitrary code on the JVM or write files on the host. The flaw is identified as CWE‑178.

Affected Systems

The issue affects Apache Camel assemblies that provide JMS, CoAP, and Google PubSub endpoints. Versions from 3.0.0 up to, but not including, 4.14.6; from 4.15.0 to 4.18.2 (excluding 4.18.2); and from 4.19.0 to 4.20.0 (excluding 4.20.0) are vulnerable. The affected modules are camel‑jms, camel‑sjms, camel‑coap, and camel‑google‑pubsub.

Risk and Exploitability

The CVSS score is 9.9, indicating a critical severity. However, the EPSS score is below 1 % and the flaw is not listed in the CISA KEV catalog, suggesting exploitation is unlikely at this time. The attack requires write‑access to messages sent to the broker, which could be provided by an external publisher or a compromised internal message source. If such access is available, the attacker can inject a header such as 'CAmelExecCommandExecutable', bypass the filter, and trigger remote code execution or arbitrary file write through downstream components.

Generated by OpenCVE AI on April 28, 2026 at 04:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Camel 4.20.0 or the appropriate LTS release (4.14.6 or 4.18.2).
  • If an upgrade is not feasible, restrict access to the message broker so that only trusted producers can send messages, and ensure header values are sanitized or removed before they reach header‑driven components.
  • Consider disabling or removing the use of camel‑exec and camel‑file in routes that process messages from untrusted sources, or switch to safer components that do not rely on header‑driven execution.

Generated by OpenCVE AI on April 28, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jg2m-9x48-3gvj Apache Camel has an incomplete fix for CVE-2025-27636
History

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Critical

Tue, 28 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 27 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.
Title Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection
Weaknesses CWE-178
References

Subscriptions

Apache Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-28T03:55:39.389Z

Reserved: 2026-04-13T08:27:50.386Z

Link: CVE-2026-40453

cve-icon Vulnrichment

Updated: 2026-04-27T15:19:10.268Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-27T09:16:01.493

Modified: 2026-04-28T19:43:55.047

Link: CVE-2026-40453

cve-icon Redhat

Severity : Critical

Publid Date: 2026-04-27T08:23:20Z

Links: CVE-2026-40453 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T09:17:22Z

Weaknesses