CVE-2026-40453 Apache Software Foundation CVE debrief

Who should care

Apache Camel users, administrators, and security teams should be aware of this critical vulnerability. Affected versions of Apache Camel are widely used in various industries, including finance, healthcare, and government. The vulnerability can be exploited by an attacker with JMS producer access, making it a high-risk issue for organizations that use Apache Camel.

Technical summary

The vulnerability is caused by a case-insensitive header filtering issue in non-HTTP HeaderFilterStrategy implementations, including JmsHeaderFilterStrategy, ClassicJmsHeaderFilterStrategy, SjmsHeaderFilterStrategy, CoAPHeaderFilterStrategy, and GooglePubsubHeaderFilterStrategy. An attacker with JMS producer access can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file. This allows for remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components.

Defensive priority

This vulnerability has a CVSS score of 9.9 and is classified as CRITICAL. Organizations using affected versions of Apache Camel should prioritize patching or applying mitigations to prevent exploitation.

Recommended defensive actions

• Upgrade to Apache Camel version 4.20.0 or later
• Apply the suggested mitigations for affected versions
• Review and update JMS producer access controls
• Monitor Apache Camel logs for suspicious activity
• Perform a thorough inventory of affected systems and prioritize patching

Evidence notes

The vulnerability was publicly disclosed on April 27, 2026, and has since been modified on June 27, 2026. The CVE record and NVD detail pages provide additional information on the vulnerability. Vendor advisories and source references are available for further guidance.

Official resources