Apache Camel JMS header bypass RCE (CVE-2026-40453)

Patch now - CVE-2026-40453 is a critical header-injection vulnerability in Apache Camel 3.x/4.x that lets an attacker with JMS producer access achieve remote code execution and arbitrary file write. Patched in Camel 4.20.0, 4.14.6, and 4.18.2 - upgrade immediately.

Overview

CVE-2026-40453 is a bypass of a previous security fix (CVE-2025-27636) in the Apache Camel integration framework. The original fix added case-insensitive header filtering to the HTTP header strategy by calling setLowerCase(true), but that change was not applied to five non-HTTP header filter strategies:

• JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy (camel-jms)
• SjmsHeaderFilterStrategy (camel-sjms)
• CoAPHeaderFilterStrategy (camel-coap)
• GooglePubsubHeaderFilterStrategy (camel-google-pubsub)

These strategies use case-sensitive String.startsWith('Camel') filtering, while the Camel Exchange stores headers in a case-insensitive map. This mismatch allows an attacker with JMS producer access to inject case-variant internal Camel headers (for example, ‘CAmelExecCommandExecutable’). Downstream components such as camel-exec and camel-file resolve these headers using their canonical casing, enabling remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components.

Impact

This is a critical vulnerability with a CVSS score of 9.9. The attack vector is network-based with low complexity. An attacker needs low privileges (JMS producer access to a broker consumed by a Camel route) and no user interaction to exploit it. Affected versions include Apache Camel from 3.0.0 before 4.14.6, 4.15.0 before 4.18.2, and 4.19.0 before 4.20.0. The EPSS score is 0.1%, indicating very low probability of exploitation in the next 30 days.

Remediation

Users should upgrade to Apache Camel 4.20.0, which contains the complete fix. For those on the 4.14.x LTS release stream, upgrade to 4.14.6. For the 4.18.x release stream, upgrade to 4.18.2. There are no known workarounds that fully mitigate this vulnerability.

Security Insight

This vulnerability is a regression of a prior fix - a pattern that undermines confidence in patch quality. The original CVE-2025-27636 fix was incomplete because it applied the case-insensitive filter only to HTTP strategies, leaving five non-HTTP implementations exposed. This type of partial fix is common in large integration frameworks where developers patch the immediate attack vector but miss parallel code paths. The incident underscores the importance of thorough codebase-wide audits when applying security fixes, especially for frameworks like Apache Camel that handle multiple transport protocols with shared internal header processing. Organizations should also monitor Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalog as JMS brokers are a common attack surface in these scenarios.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• Google Adds 24-Hour Wait for Unverified App Sideloading
• DarkSword iOS Exploit Kit Uses 6 Flaws, 3 Zero-Days for
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs