Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN525
_____________________________________________________________________

DATE                : 20/05/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Camel versions prior to
                              4.19.0, 4.18.2, 4.14.6.

=====================================================================
https://lists.apache.org/thread/4onh7wdtgow5jpn1718rofvx0ft2nj4w
_____________________________________________________________________

CVE-2026-47323: Apache Camel: Camel-CXF Message Header Injection via
Missing Inbound Filtering

Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-cxf-rest) 3.18.0 before 4.14.6
- Apache Camel (org.apache.camel:camel-cxf-rest) 4.15.0 before 4.18.2

Description:

Camel-CXF and Camel-Knative Message Header Injection via Missing
Inbound Filtering

The CXF and Knative HeaderFilterStrategy implementations
(CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy
in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in
camel-knative-http) only filter outbound Camel-internal headers via
setOutFilterStartsWith, while not configuring inbound filtering via
setInFilterStartsWith. As a result, an unauthenticated attacker can
inject Camel-internal headers (e.g. CamelExecCommandExecutable,
CamelFileName) via HTTP requests to CXF-RS or CXF-SOAP endpoints.
When a route forwards messages from these endpoints to header-driven
components such as camel-exec or camel-file, the injected headers
override configured values, enabling remote code execution or
arbitrary file writes. This is the same pattern that was previously
addressed in camel-undertow (CVE-2025-30177), the broader
incoming-header filter (CVE-2025-27636 and CVE-2025-29891), and
non-HTTP strategies (CVE-2026-40453).


This issue affects Apache Camel: from 3.18.0 before 4.14.6, from
4.15.0 before 4.18.2.

Users are recommended to upgrade to version 4.19.0, which fixes the
issue. If users are on the 4.18.x LTS releases stream, then they
are suggested to upgrade to 4.18.2. If users are on the 4.14.x
LTS releases stream, then they are suggested to upgrade to 4.14.6.

Credit:

Quac Tran (finder)

References:

https://camel.apache.org/security/CVE-2026-47323.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-47323

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================