You are viewing this page in an unauthorized frame window.
This is a potential security issue, you are being redirected to
https://nvd.nist.gov
An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.
This CVE record is currently being enriched by team members, this process results in the association of reference link tags, CVSS, CWE, and CPE applicability statement data
Description
Improper Input Validation vulnerability in Apache Camel AWS SNS component.
The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, 'You cannot receive messages from this endpoint'), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics.
Metrics
NVD enrichment efforts reference publicly available information to associate
vector strings. CVSS information contributed by other sources is also
displayed.
By selecting these links, you will be leaving NIST webspace.
We have provided these links to other web sites because they
may have information that would be of interest to you. No
inferences should be drawn on account of other sites being
referenced, or not, from this page. There may be other web
sites that are more appropriate for your purpose. NIST does
not necessarily endorse the views expressed, or concur with
the facts presented on these sites. Further, NIST does not
endorse any commercial products that may be mentioned on
these sites. Please address comments about this page to [email protected].
Title: AWS SNS de Apache Camel, Description: Vulnerabilidad por validación incorrecta de entradas en el componente AWS SNS de Apache Camel. El componente «camel-aws2-sns» filtra los encabezados de Camel mediante una estrategia de filtrado de encabezados específica del componente, «Sns2HeaderFilterStrategy». Al igual que su homólogo Sqs2HeaderFilterStrategy, originalmente solo configuraba un filtro de salida (setOutFilterPattern, que impide que se escriban los encabezados Camel*, breadcrumbId y org.apache.camel.*) y no configuraba ninguna regla de filtro de entrada. En el caso del componente relacionado camel-aws2-sqs, esta laguna en el filtrado de entrada era explotable, ya que Sqs2Consumer mapea los atributos de los mensajes SQS entrantes al Camel Exchange mediante HeaderFilterStrategy.applyFilterToExternalHeaders, lo que permite al remitente de un mensaje inyectar encabezados de control de Camel (registrado como CVE-2026-46456). camel-aws2-sns, por el contrario, es exclusivamente de productor: Sns2Endpoint no admite consumidores (createConsumer lanza una excepción UnsupportedOperationException, «No se pueden recibir mensajes desde este punto final»), por lo que ningún atributo de mensaje proporcionado externamente se asigna nunca en la entrada a un Camel Exchange a través de SNS, y, por lo tanto, la regla de filtro de entrada que faltaba en Sns2HeaderFilterStrategy no era accesible para un atacante. Como parte de la misma corrección (CAMEL-23506), se ha añadido una regla de filtro de entrada (setInFilterStartsWith para el espacio de nombres Camel) a Sns2HeaderFilterStrategy, de modo que su configuración coincida con la de Sqs2HeaderFilterStrategy, ya corregida, y con la de las demás estrategias equivalentes. Se trata de una medida de defensa en profundidad sin ninguna vía de explotación conocida en camel-aws2-sns. Este problema afecta a Apache Camel: desde la versión 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se trata de un cambio de refuerzo de la defensa en profu
New CVE Received from Apache Software Foundation7/06/2026 5:16:39 AM
Improper Input Validation vulnerability in Apache Camel AWS SNS component.
The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, 'You cannot receive messages from this endpoint'), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM perm