Description
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component.

The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.
Published: 2026-07-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Apache Camel Salesforce is susceptible to header injection that allows an attacker to supply arbitrary SOQL queries, SOSL searches, or Apex REST calls by setting non-Camel-prefixed Exchange header constants. Because the HTTP header filter only blocks Camel-prefixed headers, these values bypass the filter and are read as operation parameters by the camel-salesforce producer. The injected parameters run with the full permissions of the connected Salesforce integration user, permitting unauthorized data access, modification, or deletion without requiring credentials from the attacker.

Affected Systems

Apache Camel Salesforce component versions from 4.0.0 up to but not including 4.14.8, from 0 up to but not including 4.18.3, and from 4.19.0 up to but not including 4.21.0 are affected. Affected deployments include routes that bridge an HTTP consumer (e.g., platform-http) into a salesforce: producer where Exchange header constants are used for Salesforce operation parameters.

Risk and Exploitability

The EPSS score is less than 1%, indicating a low probability of exploitation. However, the vulnerability grants extensive privileges because the injected operations execute with the full rights of the Salesforce connected user, and authentication is not required when the bridging consumer is unauthenticated. The CVE does not appear in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted HTTP requests that include the vulnerable headers, bypassing internal safeguards and potentially causing data exfiltration or destructive actions.

Generated by OpenCVE AI on July 7, 2026 at 11:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Apache Camel 4.21.0 (or the appropriate LTS release: 4.14.8 for 4.14.x, 4.18.3 for 4.18).
  • After upgrading, replace any use of legacy sObject*/apex* header names with the new CamelSalesforce* prefixes in all routes.
  • If upgrading cannot be performed immediately, strip the Salesforce control headers from untrusted HTTP ingress before invoking the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route) and set the operation parameters from a trusted source.

Generated by OpenCVE AI on July 7, 2026 at 11:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel Salesforce
Vendors & Products Apache
Apache camel Salesforce

Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.
Title Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Weaknesses CWE-639
CWE-74
References

Subscriptions

Apache Camel Salesforce
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-07T12:30:34.187Z

Reserved: 2026-05-27T11:46:24.688Z

Link: CVE-2026-49099

cve-icon Vulnrichment

Updated: 2026-07-06T09:25:43.240Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T11:15:03Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key

  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')