Message Header Injection Vulnerability in Apache Camel CXF and Knative
CVE-2026-47323

9.8CRITICAL

Key Information:

Vendor: Apache
Status: Apache Camel
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-47323?

The implementations of HeaderFilterStrategy in Apache Camel, specifically CxfRsHeaderFilterStrategy and KnativeHttpHeaderFilterStrategy, fail to appropriately filter inbound headers, allowing unauthenticated attackers to inject internal Camel headers through HTTP requests. This vulnerability can lead to the overriding of key configuration values, causing potential remote code execution and arbitrary file write vulnerabilities when messages are processed by header-driven components. It is crucial for users running affected versions to upgrade to version 4.19.0 or to the latest LTS releases to mitigate these risks.

Affected Version(s)

Apache Camel 3.18.0 < 4.14.6

Apache Camel 4.15.0 < 4.18.2

References

https://camel.apache.org/security/CVE-2026-47323.html

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Quac Tran

CVE-2026-47323 Data

JSON