Apache Camel header injection via email (CVE-2026-33454)

Patch now - CVE-2026-33454 is a critical header injection vulnerability in Apache Camel’s camel-mail component (versions 3.0.0 through 4.14.5 and 4.15.0 through 4.18.0) that lets an attacker send a crafted email to inject Camel-specific headers into the message exchange, potentially altering downstream route behavior. This can lead to unauthorized code execution or data manipulation in components like camel-bean, camel-exec, or camel-sql.

Overview

CVE-2026-33454 affects the Apache Camel camel-mail component when applications consume email via IMAP or POP3 protocols (e.g., from("imap://...")). The vulnerability lies in the MailHeaderFilterStrategy configuration: it only filters outgoing headers (setOutFilterStartsWith) but does not filter incoming headers (setInFilterStartsWith). This allows an attacker who can deliver a malicious email to the monitored mailbox to inject Camel message headers into the route’s Exchange object.

The injected headers can then influence downstream Camel components. For example, the camel-bean component could be tricked into invoking arbitrary methods, camel-exec could run arbitrary system commands, and camel-sql could manipulate database queries. This is the same class of header injection flaw previously fixed in camel-undertow (CVE-2025-30177) and related to the broader incoming-header filter fixes (CVE-2025-27636 and CVE-2025-29891).

Impact

With a CVSS score of 9.4 (Critical), the vulnerability is exploitable over the network with low complexity and no user interaction. An attacker needs only to send a specially crafted email to a mailbox that a vulnerable Camel route consumes. The confidentiality, integrity, and availability impact are all high, as the attacker can execute arbitrary code, modify data, or disrupt services through the affected downstream components.

Remediation

Users must upgrade to the fixed versions immediately:

• Upgrade to Apache Camel 4.19.0 for the latest fixes.
• Users on the 4.18.x LTS stream should upgrade to 4.18.1.
• Users on the 4.14.x LTS stream should upgrade to 4.14.6.

No workarounds are available; patching is the only effective mitigation.

Security Insight

This vulnerability continues a concerning pattern in Apache Camel where header injection flaws appear across different components over successive releases. The similarity to CVE-2025-30177 (camel-undertow) and the CVE-2025 series suggests that the core header filtering logic needs a comprehensive audit rather than piecemeal component-by-component fixes. Organizations running Camel routes that consume external data should monitor for additional CVE disclosures and consider adding a defense-in-depth layer that validates or strips unexpected headers before they reach sensitive components. The fact that this same pattern reappears despite previous patches indicates that preventive controls, such as a mandatory inbound header allowlist at the framework level, would be a stronger long-term investment than reactive patching.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs