PT-2026-55906 · Apache+1 · Apache Camel+1

Andrea Cosentino

+1

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-49099

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9
Description An injection and authorization bypass issue exists in the Apache Camel Salesforce component. The camel-salesforce producer resolves operation parameters—including SOQL queries, SOSL searches, target SObject names and IDs, Apex REST URLs, methods, and query parameters—from Exchange message headers, prioritizing these over endpoint configurations via the getParameter() function. Because the control-header constants in SalesforceEndpointConfig (such as sObjectQuery, sObjectSearch, sObjectName, sObjectId, apexUrl, and apexMethod) lacked the Camel prefix, they were not blocked by the HttpHeaderFilterStrategy at the HTTP boundary. In routes bridging an HTTP consumer to a Salesforce producer, an unauthenticated HTTP client can inject these headers to override intended operations. This allows attackers to execute unauthorized SOQL queries, SOSL searches, CRUD operations, or redirect Apex REST calls using the broad permissions of the connected Salesforce integration user.
Recommendations Upgrade Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8. Upgrade Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3. Upgrade Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0. After upgrading, update routes that set Salesforce operation parameters via raw header names to use CamelSalesforce* names (e.g., CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of sObject* or apex* values. As a temporary mitigation, strip Salesforce control headers from untrusted ingress before the Salesforce producer by using removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route, and ensure parameters are set from a trusted source.

IDOR

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49099

Affected Products

Apache Camel
Salesforce