CVE-2026-33453

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.14.0 through 4.14.5 Apache Camel versions prior to 4.18.1 Apache Camel version 4.19.0

Description The camel-coap component is susceptible to message header injection. The CamelCoapResource.handleRequest() function iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter without applying a HeaderFilterStrategy. This allows an unauthenticated remote attacker to inject arbitrary internal headers (prefixed with Camel*) by sending a single CoAP UDP packet to a route consuming from 'coap://'.

If the route forwards the request to header-sensitive producers such as 'camel-exec', 'camel-sql', 'camel-bean', 'camel-file', or template components ('camel-freemarker', 'camel-velocity'), the injected headers can alter the producer's behavior. Specifically, using 'camel-exec', the CamelExecCommandExecutable and CamelExecCommandArgs headers can override configured settings to achieve arbitrary OS command execution under the privileges of the Camel process. The output is returned in the CoAP response payload, providing an interactive remote code execution channel.

Recommendations Upgrade to version 4.18.1. Upgrade to version 4.19.0.