Apache Camel
22 CVEs affecting Apache Camel. Latest disclosed: 2026-05-19. Critical: 10, High: 7.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-33453 | Critical | 10.0 | 2026-04-27 | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap c… |
CVE-2026-40453 | Critical | 9.9 | 2026-04-27 | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filt… |
CVE-2026-47323 | Critical | 9.8 | 2026-05-19 | Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilter… |
CVE-2026-40860 | Critical | 9.8 | 2026-04-27 | JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values… |
CVE-2017-12634 | Critical | 9.8 | 2017-11-15 | The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializi… |
CVE-2017-12633 | Critical | 9.8 | 2017-11-15 | The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializ… |
CVE-2016-8749 | Critical | 9.8 | 2017-03-28 | Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. |
CVE-2017-3159 | Critical | 9.8 | 2017-03-07 | Apache Camel's camel-snakeyaml component is vulnerable to Java object de-serialization vulnerability. De-serializing untrusted data can lead to security flaws. |
CVE-2015-5344 | Critical | 9.8 | 2016-02-03 | The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arbitrary commands via a crafted serialize… |
CVE-2026-33454 | Critical | 9.4 | 2026-04-27 | The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) on… |
CVE-2026-27172 | High | 8.8 | 2026-04-27 | The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method)… |
CVE-2026-40858 | High | 8.8 | 2026-04-27 | The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInpu… |
CVE-2026-40473 | High | 8.8 | 2026-04-27 | The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInp… |
CVE-2026-40022 | High | 8.2 | 2026-04-27 | When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path su… |
CVE-2015-5348 | High | 8.1 | 2016-04-15 | Apache Camel 2.6.x through 2.14.x, 2.15.x before 2.15.5, and 2.16.x before 2.16.1, when using (1) camel-jetty or (2) camel-servlet as a consumer in Camel route… |
CVE-2026-40048 | High | 7.8 | 2026-04-27 | The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStre… |
CVE-2017-5643 | High | 7.4 | 2017-03-16 | Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE. |
CVE-2015-0264 | | 2015-06-03 | Multiple XML external entity (XXE) vulnerabilities in builder/xml/XPathBuilder.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 allow remote attacke… | |
CVE-2015-0263 | | 2015-06-03 | XML external entity (XXE) vulnerability in the XML converter setup in converter/jaxp/XmlConverter.java in Apache Camel before 2.13.4 and 2.14.x before 2.14.2 a… | |
CVE-2014-0003 | | 2014-03-21 | The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remote attackers to execute arbitrary Java… |