Detections
Analytics
Apache Camel 4.14.x < 4.14.6 / 4.15.x < 4.18.1 RCE (CVE-2026-33453)
critical Nessus Plugin ID 322982
Synopsis
The remote host contains an integration framework that is affected by a remote code execution vulnerability.Description
The version of Apache Camel on the remote host is 4.14.x prior to 4.14.6 or 4.15.x through 4.18.x prior to 4.18.1. It is, therefore, affected by a remote code execution vulnerability:- The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. An unauthenticated attacker who can send a CoAP UDP packet to a Camel route can inject arbitrary Camel internal headers into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, the injected headers can override the executable and arguments, resulting in arbitrary OS command execution. (CVE-2026-33453)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache Camel version 4.14.6, 4.18.1, or later.See Also
Plugin Details
Severity: Critical
ID: 322982
File Name: apache_camel_CVE-2026-33453.nasl
Version: 1.1
Type: Local
Agent: windows, macosx, unix
Family: Misc.
Published: 6/26/2026
Updated: 6/26/2026
Configuration: Enable thorough checks (optional)
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.3
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-33453
CVSS v3
Risk Factor: Critical
Base Score: 10
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:apache:camel
Required KB Items: installed_sw/Apache Camel
Patch Publication Date: 4/27/2026
Vulnerability Publication Date: 4/27/2026
Reference Information
CVE: CVE-2026-33453