Improper Input Validation in Apache Camel Cometd Component
CVE-2026-46454

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46454?

An improper input validation vulnerability exists in the Apache Camel Cometd Component, which maps inbound Bayeux message headers into the Camel Exchange without adequate filtering. The lack of a HeaderFilterStrategy allows unvalidated header names, including sensitive Camel control headers, to be accepted unmodified. As a result, any client that successfully establishes a Bayeux handshake can publish messages without authentication, enabling attackers to inject arbitrary headers that may alter the behavior of downstream producers. This can lead to significant impacts based on the specific route configurations. Users are strongly urged to upgrade to the latest versions that implement necessary security measures, including a HeaderFilterStrategy to restrict client-supplied Camel headers.

Affected Version(s)

Apache Camel 4.0.0 < 4.14.8

Apache Camel 4.15.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from Paypal
.