Description
Improper Input Validation vulnerability in Apache Camel AWS SNS component.


The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, 'You cannot receive messages from this endpoint'), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns.


This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics.
Published: 2026-07-06
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in an improper input validation flaw in the HeaderFilterStrategy of the Apache Camel AWS2 SNS projection. The component originally lacked an inbound filtering rule, a gap that was exploitable in a sibling component allowing message senders to inject control headers. In the SNS component, however, the missing inbound rule cannot be triggered because the endpoint is producer‑only and does not accept inbound messages. Consequently, no attacker‑controlled data can reach the Camel Exchange, and the flaw cannot be leveraged for data injection or remote code execution.

Affected Systems

All releases of the Apache Camel AWS2 SNS component from 4.0.0 up to but not including 4.14.8, from 4.15.0 up to 4.18.2, and from 4.19.0 up to 4.20.9 are affected. The fixes that add the inbound filter are included in version 4.14.8 of the 4.14.x LTS stream, 4.18.3 of the 4.18.x stream, and 4.21.0 of the current release line.

Risk and Exploitability

The CVSS base score of 9.8 indicates a high theoretical severity, yet the EPSS score of less than 1% and absence from the CISA KEV catalog show a very low likelihood of exploitation. Because the component cannot consume messages, the missing inbound filter rule is unreachable by an attacker, rendering the practical risk negligible. The change is purely defensive hardening to align with sibling components.

Generated by OpenCVE AI on July 10, 2026 at 07:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel AWS2 SNS to version 4.21.0 (or to 4.14.8 for the 4.14.x LTS stream, or to 4.18.3 for the 4.18.x releases stream)
  • Apply least‑privilege IAM permissions to your SNS topics to restrict who can publish messages
  • Review producer configurations to ensure that header filtering rules meet your security requirements

Generated by OpenCVE AI on July 10, 2026 at 07:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Mon, 06 Jul 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel Aws2 Sns
Vendors & Products Apache
Apache camel Aws2 Sns

Mon, 06 Jul 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 06 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper Input Validation vulnerability in Apache Camel AWS SNS component. The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, 'You cannot receive messages from this endpoint'), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics.
Title Apache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStrategy to align it with sibling components
Weaknesses CWE-20
References

Subscriptions

Apache Camel Aws2 Sns
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-07-06T19:31:06.707Z

Reserved: 2026-06-19T09:56:29.381Z

Link: CVE-2026-56140

cve-icon Vulnrichment

Updated: 2026-07-06T19:30:54.030Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-07-06T08:16:00Z

Links: CVE-2026-56140 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-10T07:30:12Z

Weaknesses
  • CWE-20

    Improper Input Validation