Header Injection Vulnerability in Apache Camel Email Component
CVE-2026-33454

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-33454?

The Camel-Mail component allows for potential header injection due to improper filtering of Camel message headers when email is consumed. The MailHeaderFilterStrategy only applies filtering on outbound messages, leaving inbound message checks unconfigured. As a result, attackers can deliver crafted emails to monitored mailboxes, injecting harmful Camel-prefixed MIME headers that may manipulate the behavior of downstream Camel components, such as camel-bean, camel-exec, or camel-sql. This security flaw has parallels with earlier vulnerabilities in Camel, emphasizing the importance of maintaining updated versions to mitigate risks. Users should upgrade to Apache Camel 4.19.0 or, for LTS streams, to 4.18.1 or 4.14.6 as appropriate.

Affected Version(s)

Apache Camel 3.0.0 < 4.14.6

Apache Camel 4.15.0 < 4.18.1

References

https://camel.apache.org/security/CVE-2026-33454.html

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Mar 20, 2026

Credit

Hyunwoo Kim (@v4bel)

CVE-2026-33454 Data

JSON