## https://sploitus.com/exploit?id=B120961D-CC7F-5299-A1A0-4E66F545D330
# camel-mail `mail.smtp.*` Header Injection Reproducer (CVE-2026-46584)
This project demonstrates a **message-header injection** in Apache Camel's `camel-mail` component, tracked as
**CVE-2026-46584**. When a `smtp` / `smtps` producer sends a message, `MailProducer.getSender(Exchange)` scans the
inbound Exchange headers for any starting with `mail.smtp.` (or `mail.smtps.`) and folds them into the JavaMail
`Session` used for that send โ with **no filtering and no opt-in gate** on affected versions. An attacker who can
place headers on the Exchange (for example through an HTTP front-end, whose non-`Camel*` headers pass the default
HTTP header filter) can therefore rewrite the victim's JavaMail transport settings for a single send.
This PoC demonstrates the impact as **credential theft via on-path interception**: injecting
`mail.smtp.socks.host` / `mail.smtp.socks.port` tunnels the victim's *authenticated* SMTP connection through a
SOCKS proxy the attacker controls. The proxy transparently forwards to the real server โ so the victim's send
still succeeds โ while it harvests the plaintext `AUTH LOGIN` credentials in transit.
Advisory: https://camel.apache.org/security/CVE-2026-46584.html
## Vulnerability Summary
| Property | Value |
|----------|-------|
| **Component** | `camel-mail` |
| **Affected Class** | `org.apache.camel.component.mail.MailProducer#getSender(Exchange)` |
| **CWE** | CWE-20 (Improper Input Validation) / CWE-200 (Information Exposure) |
| **Impact** | Inbound `mail.smtp.*` headers rewrite the JavaMail session โ transport interception, credential theft, trust/TLS weakening |
| **Preconditions** | An affected route sends via `smtp`/`smtps` and lets untrusted input reach the Exchange headers |
| **Affected Versions** | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0 |
| **Fixed Versions** | 4.14.8, 4.18.3, 4.21.0 |
| **JIRA** | CAMEL-23522 |
| **Reporter** | Yu Bao (PayPal) |
## Technical Details
```java
// MailProducer (affected 4.18.2) โ every send consults the inbound headers:
protected JavaMailSender getSender(Exchange exchange) {
String prefix = "mail.smtp.";
Map additional = URISupport.extractProperties(exchange.getMessage().getHeaders(), prefix);
if (additional.isEmpty()) {
prefix = "mail.smtps.";
additional = URISupport.extractProperties(exchange.getMessage().getHeaders(), prefix);
}
if (additional.isEmpty()) {
return defaultSender; // no injected props -> normal path
}
JavaMailSender customSender = getEndpoint().getConfiguration().createJavaMailSender(...);
additional.forEach((k, v) -> customSender.addAdditionalJavaMailProperty(prefix + k, v.toString()));
return customSender; // >> STOLEN by the attacker's on-path proxy: victim / s3cr3t-smtp-pw
>>> Header-injection / credential-theft proof โ the attacker harvested the victim's
>>> configured SMTP credentials by injecting mail.smtp.* headers over HTTP: true
```
The legitimate request never touches the proxy. The attack request โ differing only by two extra HTTP headers โ
tunnels the victim's authenticated SMTP session through the attacker's proxy, which walks away with the victim's
configured SMTP password while the send itself succeeds undisturbed.
## Attack Vectors
Any route with an `smtp`/`smtps` producer where untrusted input can reach the Exchange headers. Beyond the SOCKS
interception shown here, other injectable session properties include `mail.smtp.ssl.trust` and
`mail.smtp.ssl.checkserveridentity` (accept a MITM certificate), `mail.smtp.starttls.enable` /
`mail.smtp.starttls.required` (downgrade to plaintext), and `mail.smtp.from` (envelope-sender spoofing).
## Recommended Fix
Upgrade to **4.14.8 / 4.18.3 / 4.21.0** (CAMEL-23522). After the fix, header-supplied JavaMail session properties
are ignored unless the route explicitly enables `useJavaMailSessionPropertiesFromHeaders`, and the `mail.smtp.` /
`mail.smtps.` namespace is filtered on inbound mapping.
## Mitigation
Until upgrading:
1. Strip the property namespace before the mail producer: `.removeHeaders("mail.smtp.*")` and
`.removeHeaders("mail.smtps.*")` (and, generally, `.removeHeaders("Camel*")`).
2. Do not let untrusted producers place arbitrary headers on Exchanges that feed a mail producer โ apply a strict
`HeaderFilterStrategy` on the inbound side.
## Disclaimer
This reproducer is provided for **security research and authorized testing only**, for a **publicly disclosed and
fixed** vulnerability. Do not use it against systems without explicit permission.