Description
Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component.

The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.
Published: 2026-07-06
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Apache Camel Mail allows an attacker to inject arbitrary JavaMail session properties through message headers prefixed with mail.smtp. or mail.smtps.. These headers are applied on a per-message basis, overriding the endpoint’s configuration. If an attacker can place such headers into a route that reaches an SMTP or SMTPS producer without sanitization, then credentials configured in the endpoint can be sent to an attacker‑controlled server, or at a minimum the transport security can be weakened so that outbound mail may be intercepted or tampered with. The vulnerability stems from improper input validation (CWE‑20) and potential exposure of sensitive information (CWE‑200).

Affected Systems

The issue affects the Apache Camel Mail component distributed by the Apache Software Foundation. Vulnerable releases include 4.0.0‑4.14.7, 4.15.0‑4.18.2, and 4.19.0‑4.20.9. The component is used in Camel routes that send email via SMTP or SMTPS.

Risk and Exploitability

The EPSS score is under 1 % and the vulnerability is not listed in CISA’s KEV catalog, indicating low current exploitation probability. Nevertheless, the vulnerability can be exercised if a route accepts untrusted input (e.g., from HTTP, JMS, Kafka) and forwards it to a mail producer without removing the internal mail.* namespace headers. The ability to redirect mail transmissions or leak credentials makes the risk significant for systems exposing the Camel routes to external users. Upgrading to the fixed versions disables the per‑message override by default; it can only be re‑enabled with the explicit useJavaMailSessionPropertiesFromHeaders option on trusted endpoints. Until an upgrade is applied, the risk can be mitigated by stripping the mail.smtp.* and mail.smtps.* headers before the mail producer in the route.

Generated by OpenCVE AI on July 6, 2026 at 17:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Camel Mail component to 4.21.0; if on the 4.14.x LTS stream upgrade to 4.14.8, and if on the 4.18.x stream upgrade to 4.18.3. The upgrade disables the per‑message header override by default and prevents credential leakage.
  • If an upgrade cannot be performed immediately, insert removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') statements before the SMTP or SMTPS producer to strip the vulnerable headers from any untrusted input.
  • Ensure that any custom route never forwards headers with the mail.smtp.* or mail.smtps.* prefix; treat these headers as internal and remove or sanitize them if they might arrive from external sources.

Generated by OpenCVE AI on July 6, 2026 at 17:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation, Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Camel Mail Component. The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders('mail.smtp.*') and removeHeaders('mail.smtps.*') between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.
Title Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail session properties, allowing an attacker to influence SMTP parameters
Weaknesses CWE-20
CWE-200
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:26:03.975Z

Reserved: 2026-05-15T07:52:46.176Z

Link: CVE-2026-46584

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-06T17:15:16Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor