CVE-2026-33454 - Vulnerability Analysis
CriticalCVSS: 9.4Last Updated: April 27, 2026
Apache Camel - Injection
Published: April 27, 2026Updated: April 27, 2026Remote Exploitable
Overview
Apache Camel from 3.0.0 before 4.14.6 and from 4.15.0 before 4.18.1 contains a message header injection caused by incomplete inbound header filtering in MailHeaderFilterStrategy, letting attackers injecting malicious Camel headers alter route behavior, exploit requires attacker to deliver email to monitored mailbox.
Severity & Score
Severity: Critical
CVSS Score: 9.4
Impact
Attackers can alter route behavior by injecting malicious headers, potentially disrupting or manipulating application workflows.
Mitigation
Upgrade to version 4.19.0, or 4.18.1 for 4.18.x LTS, or 4.14.6 for 4.14.x LTS.
Related Resources
Details
- CVE ID
- CVE-2026-33454
- Severity
- Critical
- CVSS Score
- 9.4
- Type
- insecure_deserialization
- Status
- unconfirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L