# Apache Camel Security Advisory: CVE-2026-33454 ## Vulnerability Overview - **Severity**: High - **Summary**: Camel-Mail header injection vulnerability due to inadequate filtering. - **Description**: - The Camel-Mail component contains a Camel header injection vulnerability. - The custom header filter strategy (`MailHeaderFilterStrategy`) only filters the "out" direction via `setOutFilterStartsWith`, while the "in" direction's `setInFilterStartsWith` is not configured. - When a Camel application consumes emails via camel-mail (e.g., through `imap://...` or `pop3://...`), the inbound filter check is skipped, and Camel-prefixed MIME headers are mapped into the Exchange without filtering. - An attacker can deliver emails to mailboxes monitored by the consumer, injecting Camel-specific headers to alter the behavior of downstream Camel components (such as camel-bean, camel-exec, or camel-sql). - This issue is similar to previously resolved camel-undertow vulnerabilities (CVE-2025-30177) and broader inbound header filter vulnerabilities (CVE-2025-27636 and CVE-2025-29891). ## Affected Versions - **Affected Versions**: - 3.0.0 to 4.14.6 - 4.15.0 to 4.18.1 ## Remediation - **Fixed Versions**: - 4.14.6 - 4.18.1 - 4.19.0 - **Mitigation**: - Users are advised to upgrade to version 4.19.0 to resolve the issue. - If using the 4.18.x LTS release branch, it is recommended to upgrade to 4.18.1. - If using the 4.14.x LTS release branch, it is recommended to upgrade to 4.14.6. ## Additional Information - **Notes**: - JIRA Ticket: [https://issues.apache.org/jira/browse/CAMEL-23222](https://issues.apache.org/jira/browse/CAMEL-23222) - Related CVEs: CVE-2025-27636, CVE-2025-29891, CVE-2025-30177 - **Contributors**: - Discovered and reported by: Hyunwoo Kim (@v4bel) - **References**: - PGP Signed Advisory Data: [CVE-2026-33454.txt.asc](CVE-2026-33454.txt.asc) - Mitre CVE Entry: [https://www.cve.org/CVERecord?id=CVE-2026-33454](https://www.cve.org/CVERecord?id=CVE-2026-33454)