Apache Camel security advisory: CVE-2026-49042
Severity
MEDIUMSummary
Camel-Langchain4j-Tools: Tool argument headers are not filtered against declared parameters, allowing an LLM to inject arbitrary Exchange headers via tool call argumentsVersions affected
From 4.8.0 before 4.18.3, from 4.19.0 before 4.21.0.Versions fixed
4.18.3 and 4.21.0Description
Improper Input Validation vulnerability in Apache Camel. The camel-langchain4j-tools, camel-langchain4j-agent and camel-spring-ai-tools producers set all JSON field names returned by the LLM in a tool-call response as Exchange message headers without filtering them against the tool's declared parameter schema. An attacker who can influence the LLM output (for example via prompt injection) can include arbitrary field names in the tool arguments JSON - including Camel-internal control headers such as CamelFileName, CamelHttpUri or CamelExecCommandExecutable - which are then set as Exchange headers and influence the behaviour of downstream producers in the route. The fix filters tool argument field names against the tool specification's declared parameters: only fields whose name matches a declared parameter are set as Exchange headers; undeclared fields are logged at WARN level and skipped.Notes
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23621 refers to the various commits that resolved the issue, and has more details. The fix was merged on main in https://github.com/apache/camel/pull/23535 (commit 7e65891f77aee72dc24c8099e9ba48a93962042b) and backported to camel-4.18.x in https://github.com/apache/camel/pull/23551 (commit 5d0028f6bc7a70556dc1d408b1b6cadb59e1842d). The fix adds parameter-schema filtering to three components: LangChain4jToolsProducer and LangChain4jAgentProducer check the tool specification’s JsonObjectSchema.properties() keyset before setting each argument as a header, and SpringAiToolsEndpoint checks its declared parameters map. In camel-langchain4j-agent the fix also extracts primitive values (int, long, double, boolean, String) from tool arguments instead of setting raw JsonNode objects as headers. The camel-langchain4j-tools component was introduced in 4.8.0 and camel-langchain4j-agent in 4.12.0; neither component exists in the 4.14.x LTS release line prior to 4.14.0, but the 4.14.x LTS line does include these components and should upgrade to 4.18.3 or later. The issue is classified as CWE-20 (Improper Input Validation).
Mitigation
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, only tool argument fields that match a declared parameter in the tool specification are set as Exchange headers. Tools defined without parameter declarations will have zero argument headers set from LLM tool calls - this is a breaking change for routes that rely on implicit argument passthrough; to restore argument flow, declare the expected parameters explicitly via the parameter.NAME=TYPE endpoint option. For deployments that cannot upgrade immediately, strip untrusted headers after the tool invocation (for example removeHeaders(‘Camel*’) and removeHeaders(‘camel*’) after the langchain4j-tools endpoint) and declare explicit parameter schemas for every tool so the LLM-returned arguments are constrained.Credit
This issue was discovered by Yu Bao from PayPalReferences
- PGP signed advisory data: CVE-2026-49042.txt.asc
- Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-49042