CVE-2026-33454 Apache Software Foundation CVE debrief

Who should care

Apache Camel users, administrators, and security teams should be aware of this vulnerability. Affected versions of Apache Camel are widely used in various industries, making this a critical issue to address. Security teams should prioritize patching or upgrading to mitigate potential attacks.

Technical summary

The Camel-Mail component in Apache Camel is vulnerable to message header injection attacks due to a flawed custom header filter strategy. The strategy only filters the 'out' direction, leaving the 'in' direction unfiltered. This allows an attacker to inject Camel-specific headers, potentially altering the behavior of downstream Camel components, such as camel-bean, camel-exec, or camel-sql. The vulnerability is rated as Critical with a CVSS score of 9.4.

Defensive priority

High priority should be given to patching or upgrading affected Apache Camel instances. Security teams should work closely with development teams to ensure timely mitigation of this vulnerability.

Recommended defensive actions

• Upgrade to Apache Camel version 4.19.0 or later
• Apply patches for affected versions (4.14.6 or 4.18.1)
• Review and update Camel-Mail component configurations
• Monitor for suspicious activity and implement additional security measures
• Perform thorough vulnerability assessments and penetration testing

Evidence notes

The CVE-2026-33454 vulnerability was publicly disclosed on April 27, 2026, and has since been modified on June 27, 2026. The vulnerability affects multiple versions of Apache Camel, and users are advised to upgrade or apply patches to mitigate the issue. The CVSS score of 9.4 indicates a Critical severity level.

Official resources