Apache Camel JMS, Apache Camel CoAP, Apache Camel Google PubSub: Incomplete fix for CVE-2025-27636 in non-HTTP HeaderFilterStrategies (camel-jms, camel-sjms, camel-coap, camel-google-pubsub) allows case-variant header injection

Summary

CVE	CVE-2026-40453
State	PUBLISHED
Assigner	apache
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-27 09:16:01 UTC
Updated	2026-04-28 19:43:55 UTC
Description	The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Risk And Classification

Primary CVSS: v3.1 9.9 CRITICAL from ADP

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS: 0.000580000 probability, percentile 0.179010000 (date 2026-04-27)

Problem Types: CWE-178 | CWE-178 CWE-178 Improper Handling of Case Sensitivity

Version	Source	Type	Score	Severity	Vector
3.1	ADP	DECLARED	9.9	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
3.1	134c704f-9b21-4f2e-91b3-4a467353bcc0	Secondary	9.9	CRITICAL	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`

CVSS v3.1 Breakdown

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Camel	All	All	All	All

Vendor Declared Affected Products

Source	Vendor	Product	Version	Platforms
CNA	Apache Software Foundation	Apache Camel JMS	affected 3.0.0 4.14.6 semver	Not specified
CNA	Apache Software Foundation	Apache Camel JMS	affected 4.15.0 4.18.2 semver	Not specified
CNA	Apache Software Foundation	Apache Camel JMS	affected 4.19.0 4.20.0 semver	Not specified
CNA	Apache Software Foundation	Apache Camel CoAP	affected 3.0.0 4.14.6 semver	Not specified
CNA	Apache Software Foundation	Apache Camel CoAP	affected 4.15.0 4.18.2 semver	Not specified
CNA	Apache Software Foundation	Apache Camel CoAP	affected 4.19.0 4.20.0 semver	Not specified
CNA	Apache Software Foundation	Apache Camel Google PubSub	affected 3.0.0 4.14.6 semver	Not specified
CNA	Apache Software Foundation	Apache Camel Google PubSub	affected 4.15.0 4.18.2 semver	Not specified
CNA	Apache Software Foundation	Apache Camel Google PubSub	affected 4.19.0 4.20.0 semver	Not specified

References

Reference	Source	Link	Tags
camel.apache.org/security/CVE-2026-40453.html	[email protected]	camel.apache.org	Vendor Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

Vendor Comments And Credit

Discovery Credit

CNA: Saroj Khadka (en)

There are currently no legacy QID mappings associated with this CVE.