Impact
A flaw in Apache Camel Mail allows an attacker to inject arbitrary JavaMail session properties through message headers prefixed with mail.smtp. or mail.smtps.. These headers are applied on a per-message basis, overriding the endpoint’s configuration. If an attacker can place such headers into a route that reaches an SMTP or SMTPS producer without sanitization, then credentials configured in the endpoint can be sent to an attacker‑controlled server, or at a minimum the transport security can be weakened so that outbound mail may be intercepted or tampered with. The vulnerability stems from improper input validation (CWE‑20) and potential exposure of sensitive information (CWE‑200).
Affected Systems
The issue affects the Apache Camel Mail component distributed by the Apache Software Foundation. Vulnerable releases include 4.0.0‑4.14.7, 4.15.0‑4.18.2, and 4.19.0‑4.20.9. The component is used in Camel routes that send email via SMTP or SMTPS.
Risk and Exploitability
The EPSS score is under 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating low current exploitation probability. Nevertheless, the vulnerability can be exercised if a route accepts untrusted input (e.g., from HTTP, JMS, Kafka) and forwards it to a mail producer without removing the internal mail.* namespace headers. The ability to redirect mail transmissions or leak credentials makes the risk significant for systems exposing the Camel routes to external users. Upgrading to the fixed versions disables the per‑message override by default; it can only be re‑enabled with the explicit useJavaMailSessionPropertiesFromHeaders option on trusted endpoints. Until an upgrade is applied, the risk can be mitigated by stripping the mail.smtp.* and mail.smtps.* headers before the mail producer in the route.
OpenCVE Enrichment