PT-2026-55912 · Apache · Apache Camel
Andrea Cosentino
+1
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-56140
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Apache Camel versions 4.0.0 through 4.14.7
Apache Camel versions 4.15.0 through 4.18.2
Apache Camel versions 4.19.0 through 4.20.9
Description
Improper input validation exists in the
camel-aws2-sns component. The Sns2HeaderFilterStrategy originally lacked an inbound filter rule, only configuring an outbound filter via setOutFilterPattern to block Camel*, breadcrumbId, and org.apache.camel.* headers. While a similar gap in the camel-aws2-sqs component allowed the injection of Camel control headers through HeaderFilterStrategy.applyFilterToExternalHeaders, this is not exploitable in camel-aws2-sns because the Sns2Endpoint is producer-only and does not support consumers, as createConsumer() throws an UnsupportedOperationException. This update is a defense-in-depth hardening measure to align the configuration with other strategies by adding a setInFilterStartsWith rule for the Camel namespace.Recommendations
Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8.
Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3.
Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0.
Apply least-privilege IAM permissions on SNS topics as a general best practice.
RCE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Camel