Description
Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component.


The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses.


This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and restrict who may send to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy.
Published: 2026-07-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel’s AWS2‑SQS component incorrectly validates inbound message attributes, allowing an attacker to embed Camel control headers such as CamelHttpUri, CamelFileName, or CamelSqlQuery into SQS messages. These headers are mapped into the Exchange unchanged because the inbound HeaderFilterStrategy is not configured, giving the sender the ability to alter the behavior of downstream producers. The injected headers can redirect HTTP calls, change file destinations, or modify database queries, thereby compromising confidentiality, integrity, or availability depending on the route configuration.

Affected Systems

The issue affects Apache Camel versions from 4.0.0 up to, but not including, 4.14.8, from 4.15.0 up to 4.18.3, and from 4.19.0 up to, but not including, 4.21.0. Deployments running any of these releases should verify their version and determine whether an upgrade is feasible.

Risk and Exploitability

The CVSS score of 9.8 classifies this vulnerability as Critical, indicating that the potential impact on confidentiality, integrity, and availability is severe. Exploitation requires an attacker with the ability to send messages to the SQS queue, which typically demands IAM permissions for sqs:SendMessage. The EPSS score remains below 1 %, suggesting that widespread exploitation is currently low, but the high CVSS score means that once an attacker gains queue‑write privileges, they can inject arbitrary Camel control headers that will influence all downstream route components, potentially redirecting HTTP calls, altering file destinations, or manipulating database queries. The vulnerability is not listed in the CISA KEV catalog. Because the injected headers persist across internal routing hops, the overall risk in exposed routes remains Critical, demanding immediate attention.

Generated by OpenCVE AI on July 10, 2026 at 07:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to version 4.21.0 (or to 4.18.3 if using the 4.18.x stream, or to 4.14.8 if using the 4.14.x LTS branch).
  • If an immediate upgrade, add a route step at the beginning that removes Camel‑prefixed headers, for example using removeHeaders('Camel*') and removeHeaders('camel*').
  • Restrict SQS write permissions by applying least‑privilege sqs:SendMessage policies on the queue resource so that only trusted principals can send messages.

Generated by OpenCVE AI on July 10, 2026 at 07:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix adds an inbound HeaderFilterStrategy rule to Sqs2HeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so sender-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound messages before they reach any downstream producer (for example removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and restrict who may send to the consumed SQS queue by applying least-privilege sqs:SendMessage permissions on the queue resource policy.
Title Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange without an inbound HeaderFilterStrategy, allowing a message sender to inject Camel control headers
Weaknesses CWE-20
References

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:28:37.870Z

Reserved: 2026-05-14T08:59:11.779Z

Link: CVE-2026-46456

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:15.150Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:30:12Z

Weaknesses
  • CWE-20

    Improper Input Validation