CVE-2026-33453

Description

Apache Camel's camel-coap component is vulnerable to header injection because it maps CoAP request URI query parameters directly into Camel message headers without applying a HeaderFilterStrategy. An unauthenticated attacker can send a crafted CoAP request to inject arbitrary Camel internal headers into the exchange. When a vulnerable route forwards that exchange to a header-sensitive downstream producer, the attacker may be able to control producer behavior. For example, in routes using camel-exec, injected headers can override the configured executable and arguments, which can result in arbitrary command execution with the privileges of the Camel process. Command output may be returned to the attacker in the CoAP response. This issue affects org.apache.camel:camel-coap from 4.14.0 through 4.14.5 and from 4.18.0 before 4.18.1. It is fixed in 4.14.6, 4.18.1, and 4.19.0.

How to fix CVE-2026-33453

To remediate CVE-2026-33453, upgrade the affected package to a fixed version below.

• —upgrade to 4.14.6 or later

Is CVE-2026-33453 being exploited?

Moderate — EPSS is 6.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

• >= 4.14.0, < 4.14.6

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33453
• PATCHgithub.com/apache/camel/blob/main/components/camel-coap
• WEBcamel.apache.org/security/CVE-2026-33453.html
• WEBgithub.com/apache/camel/commit/05cffa5ec05ff2ec3c50a77825625da6e426e7a8