Apache Camel security advisory: CVE-2026-46457

Severity

MEDIUM

Summary

Camel-NATS: Inbound NATS message headers are mapped into the Exchange without a configured HeaderFilterStrategy, allowing a client that can publish to the subject to inject Camel control headers

Versions affected

From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.

Versions fixed

4.14.8, 4.18.3 and 4.21.0

Description

The camel-nats component maps inbound NATS message headers into the Camel Exchange but defaulted its headerFilterStrategy to a bare new DefaultHeaderFilterStrategy() with no inbound rules configured (NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not filtered for every header name, so NatsConsumer copies every NATS message header - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - unmodified onto the Camel message. A client able to publish to the consumed NATS subject can therefore inject arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected headers also persist across internal direct, seda and vm hops. The concrete downstream impact depends on which producers the route uses. NATS message headers require NATS 2.2 or later, and the issue is reachable without credentials when the NATS server is configured without authentication (the NATS server default).

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23515 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23233 (commit be8aad96fa04f81d2b58884e27ba6755c9ad2718) and backported to camel-4.18.x (commit 67f7ea7465a1bf637339975c69a82327890e22f0) and camel-4.14.x (commit f7022926ca9c1c94866bf32596c9869f424a3b2c). The issue is classified as CWE-20 (Improper Input Validation). It belongs to the same Camel message-header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46454 and CVE-2026-47323, all of which stem from Camel components mapping inbound message headers into the Exchange without a HeaderFilterStrategy that blocks the Camel header namespace.

Mitigation

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated NatsHeaderFilterStrategy that filters the Camel header namespace case-insensitively on inbound mapping, so client-supplied Camel* / camel* headers are no longer copied into the Exchange. For deployments that cannot upgrade immediately, strip the Camel control headers from inbound NATS messages before they reach any downstream producer (for example removeHeaders(‘Camel*’) and removeHeaders(‘camel*’) at the start of the route), and enable authentication on the NATS server so that only trusted clients can publish to the consumed subject.

Credit

This issue was discovered by Yu Bao from PayPal

References

PGP signed advisory data: CVE-2026-46457.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-46457