## Overview
**CVE-2026-33453** is a critical vulnerability in Apache Camel’s **camel-coap** component that allows an unauthenticated attacker to inject arbitrary Camel message headers via CoAP URI query parameters. When a vulnerable Camel route forwards such a crafted Exchange to a **header-sensitive producer** (for example, camel-exec, camel-sql, camel-bean, camel-file, or template components), the injected headers can alter producer behavior and lead to **remote code execution (RCE)**.
### Vulnerability details
– **Root cause:** The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. The component does not filter or restrict header names or prefixes (including internal Camel headers such as those prefixed with Camel*).
– **Exploit vector:** An unauthenticated attacker who can send a single CoAP UDP datagram to a Camel route consuming from coap:// can inject arbitrary Camel internal headers. For example, supplying CamelExecCommandExecutable and CamelExecCommandArgs headers can override the configured command for **camel-exec**, resulting in OS command execution as the Camel process user.
– **Protocol considerations:** CoAP (RFC 7252) is UDP-based, typically listens on port **5683**, and by default does not enforce authentication (DTLS is optional and often disabled). Because it’s UDP, many HTTP-layer WAF/IDS protections will not detect or block this traffic.
### Affected software versions
– Affected: Apache Camel versions listed by the vendor (see references). The vendor recommends upgrading to fixed releases.
– Vendor-recommended fixed versions: **upgrade to 4.18.1 or 4.19.0** (see Apache advisory for exact affected ranges and fixed releases).
### Severity
– **CVSS v3.1:** 10.0 (CRITICAL) — AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
– **Impact:** Remote, unauthenticated full confidentiality, integrity, and availability compromise; interactive RCE via returned CoAP payload is possible.
### Potential impact
– Full system compromise of hosts running vulnerable Camel routes (depending on process privileges).
– Data exfiltration, service disruption, lateral movement from compromised hosts.
– Interactive command execution is possible because producer output is returned in the CoAP response payload.
### Mitigation and recommendations
– **Immediate:** Apply the vendor-recommended updates — upgrade Apache Camel to the versions identified in the advisory (upgrade to **4.18.1** or **4.19.0** as noted by the vendor).
– **Short-term compensations if patching is delayed:**
– Restrict network access to CoAP endpoints (block or limit UDP/5683 to trusted hosts/networks).
– Enable DTLS for CoAP endpoints where feasible and enforce strong authentication.
– Disable or avoid using header-sensitive producers (like camel-exec) behind CoAP endpoints until patched, or ensure message headers cannot be controlled by external inputs.
– Implement network-level monitoring for unexpected CoAP traffic and anomalous process activity on Camel hosts.
## IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.
References: