PT-2026-55912 · Apache · Apache Camel

Andrea Cosentino

+1

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-56140

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.0.0 through 4.14.7 Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9
Description Improper input validation exists in the camel-aws2-sns component. The Sns2HeaderFilterStrategy originally lacked an inbound filter rule, only configuring an outbound filter via setOutFilterPattern to block Camel*, breadcrumbId, and org.apache.camel.* headers. While a similar gap in the camel-aws2-sqs component allowed the injection of Camel control headers through HeaderFilterStrategy.applyFilterToExternalHeaders, this is not exploitable in camel-aws2-sns because the Sns2Endpoint is producer-only and does not support consumers, as createConsumer() throws an UnsupportedOperationException. This update is a defense-in-depth hardening measure to align the configuration with other strategies by adding a setInFilterStartsWith rule for the Camel namespace.
Recommendations Update Apache Camel versions 4.0.0 through 4.14.7 to version 4.14.8. Update Apache Camel versions 4.15.0 through 4.18.2 to version 4.18.3. Update Apache Camel versions 4.19.0 through 4.20.9 to version 4.21.0. Apply least-privilege IAM permissions on SNS topics as a general best practice.

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-56140

Affected Products

Apache Camel