Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-40047: Apache Camel Docling Argument Injection Enables OS Command Execution
CVE-2026-40047: Apache Camel Docling Argument Injection Enables OS Command Execution

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-40047

CVE-2026-40047: Apache Camel Docling Argument Injection Enables OS Command Execution

A critical argument injection vulnerability in Apache Camel's camel-docling component allows attackers to inject arbitrary CLI arguments into the docling process, achieving OS command execution. Affects Camel 4.15.0–4.18.2; upgrade to 4.18.3 or 4.19.0.

Dylan H.

Security Team

July 7, 2026
5 min read

Affected Products

  • Apache Camel 4.15.0 through 4.18.2

Executive Summary

A critical argument injection vulnerability (CVE-2026-40047) has been identified in the camel-docling component of Apache Camel, the widely used enterprise integration framework. The DoclingProducer class assembles command-line arguments for the external docling document-processing tool and launches it via java.lang.ProcessBuilder. A weak denylist-based validation mechanism can be bypassed, allowing attackers to inject arbitrary CLI arguments — and in certain configurations achieve OS-level command execution on the Camel host.

CVSS Score: 9.1 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

The vulnerability affects Apache Camel 4.15.0 through 4.18.2. Fixed versions are 4.18.3 (LTS branch) and 4.19.0 (mainline).


Vulnerability Overview

AttributeValue
CVE IDCVE-2026-40047
CVSS Score9.1 (Critical)
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
TypeArgument Injection / OS Command Execution
CWECWE-88 — Improper Neutralization of Argument Delimiters in a Command (Argument Injection)
Attack VectorNetwork
Privileges RequiredNone
User InteractionNone
Reserved2026-04-08
Published2026-07-06

Affected Versions

ComponentAffected VersionsFixed Versions
Apache Camel (camel-docling)4.15.0 through 4.18.24.18.3 (LTS), 4.19.0+ (mainline)

Technical Analysis

The camel-docling component integrates Apache Camel routes with the docling external CLI tool for document processing (PDF conversion, OCR, etc.). The DoclingProducer class builds the argument list and invokes the tool using java.lang.ProcessBuilder — which uses list-based invocation (not a shell), meaning traditional shell metacharacter injection (; | &) is not directly possible.

However, the weak denylist validation allowed two attack vectors:

Attack Vector 1: Arbitrary CLI Argument Injection

CamelDoclingCustomArguments header (List<String>) → DoclingProducer argument list
 
Denylist only rejected a small set of explicitly named flags.
Any unblocked flag name or value was passed directly to ProcessBuilder.
 
Attacker supplies: ["--output-dir", "/tmp/attacker/", "--model", "attacker_model"]
Result: docling writes output to attacker-controlled path, loads attacker model

Attack Vector 2: Directory Traversal via Path Values

The denylist only rejected values containing the literal string "../"
 
Bypasses:
  - URL-encoded: "..%2F"
  - Symlink chains
  - Unicode canonicalization variants
 
Result: Docling resolves paths outside the intended working directory

Cascading Impact

While ProcessBuilder list-form prevents direct shell injection, the injected arguments can:

  • Override output directories → write processed files to attacker-chosen paths
  • Specify attacker-controlled model paths → potential for model-loading exploits
  • Exfiltrate documents → redirect output to attacker-accessible network shares
  • Achieve code execution → if docling supports plugin/extension arguments pointing to attacker-supplied code

Patch Changes (4.18.3 / 4.19.0)

The fix replaces the weak denylist with three changes:

ChangeDescription
Strict allowlistOnly explicitly recognized docling CLI flags are permitted
Shell metacharacter rejectionDefense-in-depth — argument values are checked for metacharacters
Path normalizationValues normalized via Path.normalize() before validation to catch non-literal traversal

Affected Component: camel-docling

The camel-docling component is part of the Apache Camel ecosystem for document intelligence workflows. Routes using this component are identified by:

// Camel DSL — vulnerable usage pattern
from("direct:process-doc")
  .to("docling:convert?outputFormat=markdown");
 
// Vulnerable header — CamelDoclingCustomArguments
// Any route that maps untrusted message content to this header is exploitable
exchange.getIn().setHeader("CamelDoclingCustomArguments", 
    untrustedUserInput);  // ← VULNERABLE

Remediation

Step 1: Upgrade Apache Camel

<!-- Maven — update to fixed version in pom.xml -->
<dependency>
    <groupId>org.apache.camel</groupId>
    <artifactId>camel-docling</artifactId>
    <version>4.18.3</version>  <!-- LTS fix -->
    <!-- OR 4.19.0 for mainline -->
</dependency>
 
<!-- Verify the camel-docling version in your dependency tree -->
<!-- mvn dependency:tree | grep camel-docling -->
// Gradle — update build.gradle
implementation 'org.apache.camel:camel-docling:4.18.3'

Step 2: Audit Custom Argument Usage (Immediate)

Search your Camel routes for any usage of CamelDoclingCustomArguments that maps external input:

# Find usages in Java/XML routes
grep -r "CamelDoclingCustomArguments\|DoclingCustomArguments" src/
 
# Find Camel XML DSL routes
grep -r "docling" src/ --include="*.xml" --include="*.yaml"

Step 3: Input Validation at Route Level

Until upgrade is applied, add a strict allowlist for any CamelDoclingCustomArguments header values at the route level:

// Defensive sanitization before camel-docling (defense-in-depth)
from("direct:process")
  .process(exchange -> {
      List<String> args = exchange.getIn().getHeader(
          "CamelDoclingCustomArguments", List.class);
      if (args != null) {
          // Remove ALL custom args from untrusted sources
          exchange.getIn().removeHeader("CamelDoclingCustomArguments");
      }
  })
  .to("docling:convert");

Detection Indicators

IndicatorDescription
Docling CLI invoked with unexpected flagsArgument injection in progress
Output files written to unexpected pathsPath traversal or output redirect
CamelDoclingCustomArguments from external sourcesHigh-risk configuration
Camel version 4.15.0–4.18.2 with camel-doclingVulnerable deployment

Post-Remediation Steps

  1. Upgrade to Apache Camel 4.18.3 (LTS) or 4.19.0+ (mainline)
  2. Audit all Camel routes using camel-docling for external input mapped to CamelDoclingCustomArguments
  3. Review docling output directories for unexpected files written during the exposure window
  4. Apply principle of least privilege — run the Camel host with minimal filesystem permissions
  5. Monitor process spawn logs for unexpected docling invocation arguments

References

  • NIST NVD — CVE-2026-40047
  • Apache Camel Security
  • Apache Camel Downloads

Related Reading

  • CVE-2026-24013: Apache IoTDB Authentication Bypass via Forged Session ID
  • CVE-2026-24014: Apache IoTDB DataNode Path Traversal
#Apache Camel#CVE-2026-40047#Argument Injection#Command Injection#Integration Security#Java Security

Related Articles

CVE-2026-34038: Critical Coolify RCE via Authenticated Command Injection (CVSS 9.9)

A critical command injection vulnerability in Coolify's deployment pipeline allows any authenticated user with write access to execute arbitrary OS commands and exfiltrate all environment variables — including API keys and database credentials — on the host system.

5 min read

UniFi Connect Critical RCE via Command Injection CVE-2026-50746

A maximum-severity command injection vulnerability in Ubiquiti's UniFi Connect Application allows any network-accessible attacker to execute arbitrary OS...

4 min read

UniFi Access Application Command Injection RCE CVE-2026-50748

An improper input validation flaw in Ubiquiti's UniFi Access Application enables low-privileged network attackers to inject OS commands and execute...

4 min read
Back to all Security Alerts