Apache Camel: Camel-Undertow Message Header Injection via Improper Filtering
Description
Bypass/Injection vulnerability in Apache Camel in Camel-Undertow component under particular conditions.
This issue affects Apache Camel: from 4.10.0 before 4.10.3, from 4.8.0 before 4.8.6.
Users are recommended to upgrade to version 4.10.3 for 4.10.x LTS and 4.8.6 for 4.8.x LTS.
Camel undertow component is vulnerable to Camel message header injection, in particular the custom header filter strategy used by the component only filter the "out" direction, while it doesn't filter the "in" direction.
This allows an attacker to include Camel specific headers that for some Camel components can alter the behaviour such as the camel-bean component, or the camel-exec component.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Camel-Undertow's header filter only blocks outgoing headers, enabling injection of Camel-specific headers via HTTP requests that can alter component behavior like bean invocation or command execution.
Root
Cause The vulnerability arises from the Camel-Undertow component's custom header filter strategy, which only applies filtering to headers in the "out" direction but does not filter incoming headers [1][2]. This oversight allows an attacker to include Camel-specific headers in HTTP requests that are not sanitized by the component.
Exploitation
An attacker can exploit this by sending crafted HTTP requests to an endpoint using camel-undertow that routes to a camel-bean or camel-exec component. The injected headers can manipulate the behavior of these components, such as calling unintended methods on beans or altering command execution [1][4]. The attack is possible without authentication if the Camel application is exposed to the internet.
Impact
Successful exploitation could allow an attacker to invoke arbitrary bean methods or execute system commands via the camel-exec component, potentially leading to unauthorized data access, code execution, or system compromise [1]. The specific impact depends on the application's routing and component configuration.
Mitigation
Users should upgrade to Apache Camel 4.10.3 (for 4.10.x LTS) or 4.8.6 (for 4.8.x LTS) to fix the header filtering issue [1][2]. The fix ensures the header filter is applied to both incoming and outgoing directions. No workaround is available; upgrading is required to eliminate the vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.camel:camel-undertowMaven | >= 4.10.0, < 4.10.3 | 4.10.3 |
org.apache.camel:camel-undertowMaven | >= 4.8.0, < 4.8.6 | 4.8.6 |
Affected products
3- Range: 4.10.0
Patches
19fd8fc30dbd9CAMEL-21876 - Undertow Header Filter Strategy: Considering also the in filter (#17476)
1 file changed · +1 −0
components/camel-undertow/src/main/java/org/apache/camel/component/undertow/UndertowHeaderFilterStrategy.java+1 −0 modified@@ -33,5 +33,6 @@ protected void initialize() { // filter headers begin with "Camel" or "org.apache.camel" // must ignore case for Http based transports setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH); + setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-vq4p-pchp-6g6vghsaADVISORY
- lists.apache.org/thread/dj79zdgw01j337lr9gvyy4sv8xfyw8pyghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-30177ghsaADVISORY
- camel.apache.org/security/CVE-2025-27636.htmlghsarelatedWEB
- camel.apache.org/security/CVE-2025-29891.htmlghsarelatedWEB
- github.com/apache/camel/commit/9fd8fc30dbd98511a1faa0cbcf39ef5aeec88a64ghsaWEB
News mentions
0No linked articles in our index yet.