Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-nats) 4.0.0 before 4.14.8
- Apache Camel (org.apache.camel:camel-nats) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-nats) 4.19.0 before 4.21.0

Description:

Improper Input Validation vulnerability in Apache Camel NATS component.

The camel-nats component maps inbound NATS message headers into the Camel 
Exchange but defaulted its headerFilterStrategy to a bare new 
DefaultHeaderFilterStrategy() with no inbound rules configured 
(NatsConfiguration). With no inFilter, inFilterPattern or inFilterStartsWith 
set, DefaultHeaderFilterStrategy.applyFilterToExternalHeaders returns not 
filtered for every header name, so NatsConsumer copies every NATS message 
header - including Camel-internal control headers such as CamelHttpUri, 
CamelFileName or CamelSqlQuery - unmodified onto the Camel message. A client 
able to publish to the consumed NATS subject can therefore inject arbitrary 
Camel control headers that influence the behaviour of downstream producers in 
the route (for example redirecting an HTTP producer, changing a file name, or 
overriding a query); the injected headers also persist across internal direct, 
seda and vm hops. The concrete downstream impact depends on which producers the 
route uses. NATS message headers require NATS 2.2 or later, and the issue is 
reachable without credentials when the NATS server is configured without 
authentication (the NATS server default).
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 
4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.14.x LTS releases stream, then they are suggested to upgrade 
to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. The fix makes camel-nats default to a dedicated 
NatsHeaderFilterStrategy that filters the Camel header namespace 
case-insensitively on inbound mapping, so client-supplied Camel* / camel* 
headers are no longer copied into the Exchange. For deployments that cannot 
upgrade immediately, strip the Camel control headers from inbound NATS messages 
before they reach any downstream producer (for example removeHeaders('Camel*') 
and removeHeaders('camel*') at the start of the route), and enable 
authentication on the NATS server so that only trusted clients can publish to 
the consumed subject.

Credit:

Yu Bao from PayPal (finder)

References:

https://camel.apache.org/security/CVE-2026-46457.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46457

Reply via email to