External risk intelligence

Apache Camel Cometd Header Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46454

The vulnerability resides in the Apache Camel Cometd component, which is designed to handle inbound network messaging. As a component used to integrate services and handle external client messages, it is commonly deployed in edge or integration layers where it faces network traffic, making it a likely candidate for public or wide-area network exposure.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability exists in the Apache Camel Cometd component that could allow unauthenticated attackers to inject malicious headers, potentially influencing how messages are processed and leading to a broad range of impacts depending on the route's configuration.

  • Unauthenticated injection of control headers is possible.
  • Affects message processing and routing logic.
  • Confirm relevance and exposure to the Cometd component.

Attack Path

How an attacker could exploit the issue

An attacker can send specially crafted messages to the Cometd component, bypassing authentication due to the lack of a default security policy. These messages can contain malicious Camel internal headers that are then copied directly into the message exchange. This allows the attacker to manipulate downstream processes, such as redirecting HTTP requests or altering file names, depending on how the route is configured.

  • Entry Condition: No authentication required to connect.
  • Trigger Point: Sending a CometD message with header injection.
  • Resulting Risk: Arbitrary control header injection.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an unauthenticated attacker could inject malicious Camel control headers into messages processed by the Apache Camel Cometd component. This could manipulate the behavior of downstream producers within a route, such as redirecting HTTP requests or altering file destinations, by bypassing authentication checks.

  • Camel control headers could be exposed.
  • Arbitrary headers injected via CometD messages.
  • Route behavior manipulated, potentially impacting producers.

Operational Fix

Recommended remediation, mitigation, and detection steps

Teams responsible for Apache Camel integration and exposed HTTP endpoints should prioritize this vulnerability. The first practical step is to identify all deployments of the affected component, confirm their network exposure, and determine if they are business-critical. Once identified, the accountable owner must be found to plan remediation based on the assessed risk.

  • Application or platform integration teams own resolution.
  • Verify Cometd endpoint exposure and network reachability.
  • Plan upgrade or implement header filtering.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the role of the Apache Camel Cometd component in software architecture?

The Apache Camel Cometd component serves as an integration bridge, facilitating real-time, event-driven message exchange between external CometD clients and internal Camel routes. It manages inbound Bayeux protocol messages, transforming them into Camel Exchange objects to enable seamless communication across distributed enterprise systems.

How does CVE-2026-46454 relate to CWE-20 Improper Input Validation?

This vulnerability is classified under CWE-20 because the Cometd component fails to validate or filter inbound message headers. By neglecting to apply a HeaderFilterStrategy, the component blindly copies client-provided data into Camel internal control headers, allowing untrusted input to influence sensitive system operations.

Does this vulnerability trigger through authenticated channels?

No, the vulnerability does not require authentication. Because the Cometd component installs no Bayeux SecurityPolicy by default, any client capable of completing a Bayeux handshake can submit messages. The trigger occurs when an attacker sends a message containing injected Camel control headers, which the system processes as legitimate internal instructions.

Why is this vulnerability considered highly relevant for edge integrations?

According to the Halo Surface Signal, this vulnerability is considered likely to be exposed because it resides in a component designed for network messaging. Since the Cometd component is frequently deployed in edge or integration layers to handle external client traffic, it faces a high probability of wide-area network exposure, elevating the risk profile.

What steps can teams take to remediate this vulnerability?

Teams should prioritize upgrading to the patched versions: 4.14.8, 4.18.3, or 4.21.0. If immediate upgrading is not possible, implement a mitigation by configuring a Bayeux SecurityPolicy to enforce client authentication and adding logic to the route to remove headers matching 'Camel*' or 'camel*' patterns before they reach any downstream producers.

References