Apache Camel security advisory: CVE-2026-46584
Severity
MEDIUMSummary
Camel-Mail: The mail producer applied attacker-supplied mail.smtp.* / mail.smtps.* message headers as JavaMail session properties, allowing an attacker to weaken the SMTP transport security and, on releases before 4.19.0, redirect the connection and steal the configured SMTP credentialsVersions affected
From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.Versions fixed
4.14.8, 4.18.3 and 4.21.0Description
The camel-mail producer (MailProducer.getSender) scanned the outgoing Exchange for message headers in the mail.smtp. / mail.smtps. namespace and, when any were present, built a per-message JavaMail sender with those values applied as JavaMail session properties, overriding the endpoint configuration. This namespace is Camel-internal - only MailProducer interprets it - and was not blocked by any HeaderFilterStrategy, so the values could originate from any inbound protocol (for example platform-http query parameters or request headers, or JMS / Kafka messages from untrusted producers) that feeds a route ending in an smtp / smtps producer without an intervening removeHeaders. The maximal impact is version-dependent: on releases before 4.19.0, setting mail.smtp.host redirects the SMTP connection to a server under the attacker's control, and because the producer then authenticates with the endpoint's configured username and password those credentials are transmitted to the attacker; on 4.19.0 and later the producer connects to the endpoint's configured host explicitly, so the reachable impact is limited to weakening transport security (for example mail.smtp.ssl.trust, mail.smtp.starttls.enable or mail.smtp.socks.host) and interception of the outgoing message rather than host redirect. Exploitation requires a route that channels untrusted input into the mail producer without stripping the namespace.Notes
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23522 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23362 (commit 1e31abca3213cde447a2ded1adc070ffec6836f1) and backported to camel-4.18.x (commit 725175e3aa16216361acc8497345f8e00536d2e0) and camel-4.14.x (commit 2d2815d256068f15d42da3af27fa86fb5efad2ab). The fix gates the per-message JavaMail session-property override behind a new endpoint option useJavaMailSessionPropertiesFromHeaders (default false, marked security=insecure:ssl), and as defense in depth MailHeaderFilterStrategy now filters the mail.smtp. / mail.smtps. prefixes on inbound mapping. This is a default-tightening breaking change: routes that legitimately rely on per-message mail.smtp.* headers must opt back in with useJavaMailSessionPropertiesFromHeaders=true. The issue is classified as CWE-20 (Improper Input Validation), with credential and message exposure impact (CWE-200, Exposure of Sensitive Information). It is related to the same Camel header-injection family as CVE-2025-27636, CVE-2025-29891, CVE-2025-30177, CVE-2026-40453, CVE-2026-46454 and CVE-2026-47323 (CAMEL-23222), applied to a namespace the original sweep did not cover.
Mitigation
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, the per-message override is disabled by default; enable it only on trusted endpoints with useJavaMailSessionPropertiesFromHeaders=true. For deployments that cannot upgrade immediately, strip the namespace before the mail producer with removeHeaders(‘mail.smtp.’) and removeHeaders(‘mail.smtps.’) between any untrusted ingress and the smtp / smtps producer. Even with the opt-in enabled, route authors should still strip the namespace on any path that carries untrusted input.Credit
This issue was discovered by Yu Bao from PayPalReferences
- PGP signed advisory data: CVE-2026-46584.txt.asc
- Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-46584