Header Injection Vulnerability in Apache Camel Email Component
CVE-2026-33454

9.4CRITICAL

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-33454?

The Camel-Mail component allows for potential header injection due to improper filtering of Camel message headers when email is consumed. The MailHeaderFilterStrategy only applies filtering on outbound messages, leaving inbound message checks unconfigured. As a result, attackers can deliver crafted emails to monitored mailboxes, injecting harmful Camel-prefixed MIME headers that may manipulate the behavior of downstream Camel components, such as camel-bean, camel-exec, or camel-sql. This security flaw has parallels with earlier vulnerabilities in Camel, emphasizing the importance of maintaining updated versions to mitigate risks. Users should upgrade to Apache Camel 4.19.0 or, for LTS streams, to 4.18.1 or 4.14.6 as appropriate.

Affected Version(s)

Apache Camel 3.0.0 < 4.14.6

Apache Camel 4.15.0 < 4.18.1

References

https://camel.apache.org/security/CVE-2026-33454.html

vendor-advisory

CVSS V3.1

Score:

9.4

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Mar 20, 2026

Credit

Hyunwoo Kim (@v4bel)

CVE-2026-33454 Data

JSON