Camel CoAP unauthenticated RCE (CVE-2026-33453) [PoC]

Exploitation confirmed - public proof-of-concept - CVE-2026-33453 is a critical unauthenticated remote code execution vulnerability in Apache Camel CoAP 4.14.0-4.14.5 and 4.18.0 that lets any attacker send a single UDP packet to gain interactive shell access. Patch to 4.18.1 or 4.19.0.

Overview

CVE-2026-33453 is a critical vulnerability in the Apache Camel camel-coap component that allows an attacker to inject arbitrary Camel message headers via incoming CoAP request URI query parameters. The component maps query parameters directly to Exchange message headers without using a HeaderFilterStrategy, which is a security control designed to filter out dangerous internal headers (those prefixed with Camel*).

An unauthenticated attacker can send a single UDP datagram to a Camel route consuming from coap://. The injected headers, such as CamelExecCommandExecutable and CamelExecCommandArgs, can override the executable and arguments configured on downstream producers like camel-exec. This results in arbitrary OS command execution on the server running the Camel application.

The attacker does not need to chain this with another vulnerability or authenticate. The response from the executed command is written back to the Exchange body and returned in the CoAP response payload, giving the attacker an interactive remote command shell.

Impact

• Severity: CVSS 10.0 (Critical)
• Attack Vector: Network (single UDP packet)
• Affected Versions: Apache Camel 4.14.0 through 4.14.5, 4.18.0
• Fixed Versions: Apache Camel 4.18.1 and 4.19.0
• Risk: An unauthenticated attacker gains remote code execution with the privileges of the Camel process.

This vulnerability is particularly dangerous because CoAP (RFC 7252) has no built-in authentication, and DTLS is disabled by default. The attack is also invisible to HTTP-layer security controls like WAFs and IDS.

Remediation

1. Upgrade your Apache Camel deployment to version 4.18.1 or 4.19.0 or later. These versions include the proper HeaderFilterStrategy implementation for the CoAP component.

2. If immediate upgrade is not possible, restrict network access to the CoAP port (default 5683/udp) to trusted sources only using a firewall or network ACL.

3. Review all Camel routes that consume from coap:// endpoints and ensure they do not forward messages to header-sensitive producers (camel-exec, camel-sql, camel-bean, camel-file, or template components) until the patch is applied.

Security Insight

This vulnerability illustrates a recurring pattern in integration frameworks: mapping untrusted network input directly into internal message headers without filtering. The Camel team missed implementing the HeaderFilterStrategy interface in the CoAP component, a security control that has been standard in other Camel transport components for years. This oversight is reminiscent of the 2020 Apache Camel header injection issues that similarly allowed command injection via camel-exec. The lesson is that every network-facing component in a message broker must enforce header sanitization at the transport boundary, not rely on downstream consumers to filter dangerous headers.

Further Reading

• Apache ActiveMQ CVE-2026-34197 added to CISA KEV catalo
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs