Impact
Apache Camel suffers from improper input validation that allows exchange headers lacking a Camel prefix to slip through the HeaderFilterStrategy. Attackers can supply crafted header values from untrusted sources and cause Camel to override default operations, effectively enabling them to execute arbitrary operations. The vulnerability is a classic input validation flaw identified as CWE‑20, which can lead to unauthorized command execution and potential compromise of systems.
Affected Systems
The vulnerability affects Apache Camel from the Apache Software Foundation. Versions up to and including 4.14.7, the range 4.15.0 through 4.18.2, and 4.19.0 through 4.20.0 are vulnerable. Users should upgrade to 4.14.8, 4.18.3, or 4.21.0 or later.
Risk and Exploitability
There are no publicly known exploits and the EPSS score is not available, but the flaw enables unauthenticated external input to override Camel operations, which can result in high-impact compromises. The lack of KEV listing indicates no confirmed exploitation yet, yet the potential for serious impact warrants timely remediation.
OpenCVE Enrichment