PT-2026-55905 · Apache · Apache Camel
Andrea Cosentino
+1
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-49098
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Apache Camel versions 4.0.0 through 4.14.7
Apache Camel versions 4.15.0 through 4.18.2
Apache Camel versions 4.19.0 through 4.20.9
Description
An injection issue exists in the Apache Camel Kafka component due to improper input validation and incorrect neutralization of special elements. The
camel-kafka producer allows the configured target topic to be overridden at runtime via the kafka.OVERRIDE TOPIC Exchange header because the KafkaProducer.evaluateTopic() function prioritizes the header value over the endpoint configuration. While the KafkaHeaderFilterStrategy filters the kafka.* namespace during Kafka-to-Exchange serialization, it does not apply to headers arriving from upstream consumers in multi-component routes. For instance, an HTTP consumer using HttpHeaderFilterStrategy only blocks the Camel or camel namespace, allowing kafka.* headers to pass through. Consequently, an unauthenticated HTTP client could use the kafka.OVERRIDE TOPIC header to redirect messages to arbitrary internal topics or inject crafted messages into critical downstream services. Similarly, the kafka.OVERRIDE TIMESTAMP and kafka.PARTITION KEY variables can be injected to backdate messages or target specific partitions.Recommendations
Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8.
Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3.
Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0.
After updating, replace raw
kafka.* header names with CamelKafka* names, such as CamelKafkaOverrideTopic and CamelKafkaTopic.
As a temporary mitigation, remove kafka.* headers from untrusted ingress using removeHeaders('kafka.*') at the start of the route and ensure the target topic is set from a trusted source.Special Elements Injection
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Camel