Command Injection Vulnerability in Apache Camel Docling Component
CVE-2026-40047

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-40047?

A command injection vulnerability exists in the Apache Camel Docling component due to improper validation of custom CLI arguments. The vulnerability arises when the DoclingProducer constructs an argument list for the external 'docling' command-line tool, where insufficient validation may allow an attacker to inject unrecognized or unintended CLI flags. This occurs because the existing denylist mechanism fails to block path-like values effectively. Attackers could leverage this flaw to execute commands that traverse outside permitted directories, posing a risk of unauthorized access. Users are advised to upgrade to version 4.19.0 or later to incorporate a fix that employs a strict allowlist for CLI flags and enhances argument validation.

Affected Version(s)

Apache Camel 4.15.0 < 4.18.3

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Andrea Cosentino from Apache Software Foundation
Andrea Cosentino from Apache Software Foundation
.