Share
## https://sploitus.com/exploit?id=B120961D-CC7F-5299-A1A0-4E66F545D330
# camel-mail `mail.smtp.*` Header Injection Reproducer (CVE-2026-46584)

This project demonstrates a **message-header injection** in Apache Camel's `camel-mail` component, tracked as
**CVE-2026-46584**. When a `smtp` / `smtps` producer sends a message, `MailProducer.getSender(Exchange)` scans the
inbound Exchange headers for any starting with `mail.smtp.` (or `mail.smtps.`) and folds them into the JavaMail
`Session` used for that send โ€” with **no filtering and no opt-in gate** on affected versions. An attacker who can
place headers on the Exchange (for example through an HTTP front-end, whose non-`Camel*` headers pass the default
HTTP header filter) can therefore rewrite the victim's JavaMail transport settings for a single send.

This PoC demonstrates the impact as **credential theft via on-path interception**: injecting
`mail.smtp.socks.host` / `mail.smtp.socks.port` tunnels the victim's *authenticated* SMTP connection through a
SOCKS proxy the attacker controls. The proxy transparently forwards to the real server โ€” so the victim's send
still succeeds โ€” while it harvests the plaintext `AUTH LOGIN` credentials in transit.

Advisory: https://camel.apache.org/security/CVE-2026-46584.html

## Vulnerability Summary

| Property | Value |
|----------|-------|
| **Component** | `camel-mail` |
| **Affected Class** | `org.apache.camel.component.mail.MailProducer#getSender(Exchange)` |
| **CWE** | CWE-20 (Improper Input Validation) / CWE-200 (Information Exposure) |
| **Impact** | Inbound `mail.smtp.*` headers rewrite the JavaMail session โ†’ transport interception, credential theft, trust/TLS weakening |
| **Preconditions** | An affected route sends via `smtp`/`smtps` and lets untrusted input reach the Exchange headers |
| **Affected Versions** | From 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0 |
| **Fixed Versions** | 4.14.8, 4.18.3, 4.21.0 |
| **JIRA** | CAMEL-23522 |
| **Reporter** | Yu Bao (PayPal) |

## Technical Details

```java
// MailProducer (affected 4.18.2) โ€” every send consults the inbound headers:
protected JavaMailSender getSender(Exchange exchange) {
    String prefix = "mail.smtp.";
    Map additional = URISupport.extractProperties(exchange.getMessage().getHeaders(), prefix);
    if (additional.isEmpty()) {
        prefix = "mail.smtps.";
        additional = URISupport.extractProperties(exchange.getMessage().getHeaders(), prefix);
    }
    if (additional.isEmpty()) {
        return defaultSender;                                  // no injected props -> normal path
    }
    JavaMailSender customSender = getEndpoint().getConfiguration().createJavaMailSender(...);
    additional.forEach((k, v) -> customSender.addAdditionalJavaMailProperty(prefix + k, v.toString()));
    return customSender;                                       // >> STOLEN by the attacker's on-path proxy:      victim / s3cr3t-smtp-pw

>>> Header-injection / credential-theft proof โ€” the attacker harvested the victim's
>>> configured SMTP credentials by injecting mail.smtp.* headers over HTTP: true
```

The legitimate request never touches the proxy. The attack request โ€” differing only by two extra HTTP headers โ€”
tunnels the victim's authenticated SMTP session through the attacker's proxy, which walks away with the victim's
configured SMTP password while the send itself succeeds undisturbed.

## Attack Vectors

Any route with an `smtp`/`smtps` producer where untrusted input can reach the Exchange headers. Beyond the SOCKS
interception shown here, other injectable session properties include `mail.smtp.ssl.trust` and
`mail.smtp.ssl.checkserveridentity` (accept a MITM certificate), `mail.smtp.starttls.enable` /
`mail.smtp.starttls.required` (downgrade to plaintext), and `mail.smtp.from` (envelope-sender spoofing).

## Recommended Fix

Upgrade to **4.14.8 / 4.18.3 / 4.21.0** (CAMEL-23522). After the fix, header-supplied JavaMail session properties
are ignored unless the route explicitly enables `useJavaMailSessionPropertiesFromHeaders`, and the `mail.smtp.` /
`mail.smtps.` namespace is filtered on inbound mapping.

## Mitigation

Until upgrading:

1. Strip the property namespace before the mail producer: `.removeHeaders("mail.smtp.*")` and
   `.removeHeaders("mail.smtps.*")` (and, generally, `.removeHeaders("Camel*")`).
2. Do not let untrusted producers place arbitrary headers on Exchanges that feed a mail producer โ€” apply a strict
   `HeaderFilterStrategy` on the inbound side.

## Disclaimer

This reproducer is provided for **security research and authorized testing only**, for a **publicly disclosed and
fixed** vulnerability. Do not use it against systems without explicit permission.