CVE intelligence and bounded remediation
CVE-2026-46456 — Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component
Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound message attributes into the Camel Exchange through a component-specific HeaderFilterStrategy. Sqs2HeaderFilterStrategy configured only an outbound filter (setOutFilterPattern, which blocks Camel*, breadcrumbId and org.apache.camel.* headers being written to the broker) but did not configure an inbound filter. As a result, when Sqs2Consumer copies each SQS MessageAttribute into the Exchange via HeaderFilterStrategy.applyFilterToExternalHeaders, DefaultHeaderFilterStrategy applied no inbound rule and treated every header name as not filtered - including Camel-internal control headers such as CamelHttpUri, CamelFileName or CamelSqlQuery - copying them unmodified onto the Camel message. Any principal able to send messages to the consumed SQS queue (for example a cross-account sender or a lower-privileged in-account component holding sqs:SendMessage) could therefore set arbitrary Camel control headers that influence the behaviour of downstream producers in the route (for example redirecting an HTTP producer, changing a file name, or overriding a query); the injected head…
- Severity
- Critical
- CVSS
- 9.8 (3.1)
- Published
- 2026-07-06
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-20
Affected products
- apache / camel
Matched remediation archetype
General vulnerability remediation
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Confirm the affected component, deployment paths, reachable interfaces, and enabled features from inventories and configuration, without probing production destructively.
- Compare the advisory's affected conditions with the repository lockfiles, build manifests, artifacts, and runtime inventory.
- Identify data sensitivity, trust boundaries, and privilege level for every confirmed affected deployment.
Remediate safely
- Apply a vendor-supported fix or remove the affected component or feature; record the selected change and its source in the repository.
- Update direct and transitive dependency locks, generated artifacts, deployment manifests, and asset inventories together.
- Add a regression test for the documented unsafe condition using inert inputs and preserve rollback instructions.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.