FKIE_CVE-2026-56140
Vulnerability from fkie_nvd - Published: 2026-07-06 09:16 - Updated: 2026-07-06 20:16
Severity
Summary
Improper Input Validation vulnerability in Apache Camel AWS SNS component.
The camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, 'You cannot receive messages from this endpoint'), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns.
This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.
This is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-aws2-sns",
"product": "Apache Camel AWS2 SNS",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.14.8",
"status": "affected",
"version": "4.0.0",
"versionType": "semver"
},
{
"lessThan": "4.18.3",
"status": "affected",
"version": "4.15.0",
"versionType": "semver"
},
{
"lessThan": "4.21.0",
"status": "affected",
"version": "4.19.0",
"versionType": "semver"
}
]
}
],
"source": "security@apache.org"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Improper Input Validation vulnerability in Apache Camel AWS SNS component.\n\n\nThe camel-aws2-sns component filters Camel headers through a component-specific HeaderFilterStrategy, Sns2HeaderFilterStrategy. Like the sibling Sqs2HeaderFilterStrategy, it originally configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers from being written out) and did not configure an inbound filter rule. For the related camel-aws2-sqs component this inbound gap was exploitable, because the Sqs2Consumer maps inbound SQS message attributes into the Camel Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, allowing a message sender to inject Camel control headers (tracked as CVE-2026-46456). camel-aws2-sns, by contrast, is producer-only: Sns2Endpoint does not support consumers (createConsumer throws UnsupportedOperationException, \u0027You cannot receive messages from this endpoint\u0027), so no externally-supplied message attributes are ever mapped inbound into a Camel Exchange through SNS, and the missing inbound filter rule on Sns2HeaderFilterStrategy was therefore not reachable by an attacker. As part of the same fix (CAMEL-23506), an inbound filter rule (setInFilterStartsWith for the Camel namespace) was added to Sns2HeaderFilterStrategy so that its configuration matches the corrected Sqs2HeaderFilterStrategy and the other sibling strategies. This is a defense-in-depth alignment with no known exploit path in camel-aws2-sns.\n\n\nThis issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nThis is a defense-in-depth hardening change with no known exploit path in camel-aws2-sns, which is producer-only, so no urgent action or workaround is required. Users who want the aligned behaviour can upgrade to version 4.21.0, or to 4.14.8 on the 4.14.x LTS releases stream, or to 4.18.3 on the 4.18.x releases stream, which contain the change. As a general best practice, operators should continue to apply least-privilege IAM permissions on their SNS topics."
},
{
"lang": "es",
"value": "Vulnerabilidad por validaci\u00f3n incorrecta de entradas en el componente AWS SNS de Apache Camel. El componente \u00abcamel-aws2-sns\u00bb filtra los encabezados de Camel mediante una estrategia de filtrado de encabezados espec\u00edfica del componente, \u00abSns2HeaderFilterStrategy\u00bb. Al igual que su hom\u00f3logo Sqs2HeaderFilterStrategy, originalmente solo configuraba un filtro de salida (setOutFilterPattern, que impide que se escriban los encabezados Camel*, breadcrumbId y org.apache.camel.*) y no configuraba ninguna regla de filtro de entrada. En el caso del componente relacionado camel-aws2-sqs, esta laguna en el filtrado de entrada era explotable, ya que Sqs2Consumer mapea los atributos de los mensajes SQS entrantes al Camel Exchange mediante HeaderFilterStrategy.applyFilterToExternalHeaders, lo que permite al remitente de un mensaje inyectar encabezados de control de Camel (registrado como CVE-2026-46456). camel-aws2-sns, por el contrario, es exclusivamente de productor: Sns2Endpoint no admite consumidores (createConsumer lanza una excepci\u00f3n UnsupportedOperationException, \u00abNo se pueden recibir mensajes desde este punto final\u00bb), por lo que ning\u00fan atributo de mensaje proporcionado externamente se asigna nunca en la entrada a un Camel Exchange a trav\u00e9s de SNS, y, por lo tanto, la regla de filtro de entrada que faltaba en Sns2HeaderFilterStrategy no era accesible para un atacante. Como parte de la misma correcci\u00f3n (CAMEL-23506), se ha a\u00f1adido una regla de filtro de entrada (setInFilterStartsWith para el espacio de nombres Camel) a Sns2HeaderFilterStrategy, de modo que su configuraci\u00f3n coincida con la de Sqs2HeaderFilterStrategy, ya corregida, y con la de las dem\u00e1s estrategias equivalentes. Se trata de una medida de defensa en profundidad sin ninguna v\u00eda de explotaci\u00f3n conocida en camel-aws2-sns. Este problema afecta a Apache Camel: desde la versi\u00f3n 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se trata de un cambio de refuerzo de la defensa en profundidad sin v\u00edas de explotaci\u00f3n conocidas en camel-aws2-sns, que es de solo productor, por lo que no se requiere ninguna acci\u00f3n urgente ni soluci\u00f3n alternativa. Los usuarios que deseen que el comportamiento se ajuste a lo previsto pueden actualizar a la versi\u00f3n 4.21.0, o a la 4.14.8 en la rama de versiones LTS 4.14.x, o a la 4.18.3 en la rama de versiones 4.18.x, que incluyen el cambio. Como buena pr\u00e1ctica general, los operadores deben seguir aplicando permisos IAM de \u00abprivilegio m\u00ednimo\u00bb a sus temas de SNS."
}
],
"id": "CVE-2026-56140",
"lastModified": "2026-07-06T20:16:37.830",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-56140",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:31:02.739566Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-07-06T09:16:39.280",
"references": [
{
"source": "security@apache.org",
"url": "https://camel.apache.org/security/CVE-2026-56140.html"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…