CVE-2026-33453

Published: Apr 27, 2026 Last Modified: Apr 28, 2026

ExploitDB:

Other exploit source:

Google Dorks:

CRITICAL 10,0

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: high

Availability: high

Description

AI Translation Available

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component.

Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec)

The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.
Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all.

As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process.

The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.

Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply.
This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0.

Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.

AI Generated Translation

Vulnerabilità di Modifica Impropriamente Controllata degli attributi degli oggetti determinati dinamicamente in Apache Camel Camel-Coap component.

Il componente camel-coap di Apache Camel è vulnerabile a iniezioni di header dei messaggi Camel, che possono portare all'esecuzione remota di codice quando le route inoltrano richieste CoAP a producer sensibili agli header (ad esempio camel-exec).

Il componente camel-coap mappa direttamente i parametri di query dell'URI della richiesta CoAP negli header dei messaggi Camel Exchange In senza applicare alcuna HeaderFilterStrategy.
In particolare, CamelCoapResource.handleRequest() itera su OptionSet.getUriQuery() e chiama camelExchange.getIn().setHeader(...) per ogni parametro di query. CoAPEndpoint estende DefaultEndpoint anziché DefaultHeaderFilterStrategyEndpoint, e CoAPComponent non implementa HeaderFilterStrategyComponent; il componente non contiene riferimenti a HeaderFilterStrategy.

Di conseguenza, un attaccante non autenticato che può inviare un singolo pacchetto UDP CoAP alla route Camel che consuma da coap:// può iniettare header arbitrari interni a Camel (quelli con prefisso Camel*) nell'Exchange. Quando la route consegna il messaggio a un producer sensibile agli header, come camel-exec, camel-sql, camel-bean, camel-file o componenti template (camel-freemarker, camel-velocity), gli header iniettati possono alterarne il comportamento. Nel caso di camel-exec, gli header CamelExecCommandExecutable e CamelExecCommandArgs sovrascrivono l'eseguibile e gli argomenti configurati sull'endpoint, portando all'esecuzione di comandi OS arbitrari con i privilegi del processo Camel.

L'output del producer viene scritto nuovamente nel corpo dell'Exchange e restituito nel payload della risposta CoAP da CamelCoapResource, offrendo all'attaccante un canale RCE interattivo senza necessità di esfiltrazione out-of-band.

I prerequisiti per lo sfruttamento sono minimi: un singolo datagram UDP non autenticato verso la porta CoAP (predefinita 5683). CoAP (RFC 7252) non prevede autenticazione integrata, e DTLS è opzionale e disabilitato di default. Poiché il protocollo si basa su UDP, i controlli WAF/IDS a livello HTTP non sono applicabili.
Questo problema riguarda Apache Camel: dalle versioni 4.14.0 alle 4.14.5, da 4.18.0 prima di 4.18.1, 4.19.0.

Si raccomanda agli utenti di aggiornare alla versione 4.18.1 o 4.19.0, che risolvono il problema.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score

0,0046

Percentile

0,6th

Updated

EPSS Score Trend (Last 4 Days)

915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Incomplete

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Integrity Other

Potential Impacts:

Modify Application Data Execute Unauthorized Code Or Commands Varies By Context Alter Execution Logic

Applicable Platforms

Languages: ASP.NET, Not Language-Specific, PHP, Python, Ruby

View CWE Details

Application

Camel by Apache

Product Information

Vendor Apache

Product Camel

Version 4.18.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:camel:4.18.0:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Camel by Apache

Product Information

Vendor Apache

Product Camel

Version Range Affected

From 4.14.0 (inclusive)

To 4.14.5 (inclusive)

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

Application

Camel by Apache

Product Information

Vendor Apache

Product Camel

Version 4.19.0

CPE Identifier

View Detailed Analysis


                  cpe:2.3:a:apache:camel:4.19.0:*:*:*:*:*:*:*

Common Platform Enumeration - Standardized vulnerability identification

http://www.openwall.com/lists/oss-security/2026/04/26/3

https://camel.apache.org/security/CVE-2026-33453.html

CVE-2026-33453

Description

EPSS (Exploit Prediction Scoring System)

EPSS (Exploit Prediction Scoring System)

EPSS Score Trend (Last 4 Days)

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Common Consequences

Applicable Platforms

Camel by Apache

Product Information

Camel by Apache

Product Information

Camel by Apache

Product Information

Iscriviti alla newsletter