0.0
NA
CVE-2026-49099
Apache Camel Salesforce: Non-Camel-prefixed Exchange header constants bypass the HTTP header filter, allowing an HTTP client to influence internal behaviour
Description

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.

INFO

Published Date :

July 6, 2026, 9:16 a.m.

Last Modified :

July 6, 2026, 10:10 a.m.

Remotely Exploit :

No
Affected Products

The following products are affected by CVE-2026-49099 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

No affected product recoded yet

Solution
Upgrade Apache Camel Salesforce Component to patched version. Configure routes to use updated header names.
  • Upgrade to Apache Camel version 4.21.0 or later.
  • Upgrade to 4.14.8 for 4.14.x LTS stream.
  • Upgrade to 4.18.3 for 4.18.x stream.
  • Use CamelSalesforce* header names instead of sObject* / apex*.
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-49099.

URL Resource
https://camel.apache.org/security/CVE-2026-49099.html
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-49099 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-49099 weaknesses.

CAPEC-3: Using Leading 'Ghost' Character Sequences to Bypass Input Filters Using Leading 'Ghost' Character Sequences to Bypass Input Filters CAPEC-6: Argument Injection Argument Injection CAPEC-7: Blind SQL Injection Blind SQL Injection CAPEC-8: Buffer Overflow in an API Call Buffer Overflow in an API Call CAPEC-9: Buffer Overflow in Local Command-Line Utilities Buffer Overflow in Local Command-Line Utilities CAPEC-10: Buffer Overflow via Environment Variables Buffer Overflow via Environment Variables CAPEC-13: Subverting Environment Variable Values Subverting Environment Variable Values CAPEC-14: Client-side Injection-induced Buffer Overflow Client-side Injection-induced Buffer Overflow CAPEC-24: Filter Failure through Buffer Overflow Filter Failure through Buffer Overflow CAPEC-28: Fuzzing Fuzzing CAPEC-34: HTTP Response Splitting HTTP Response Splitting CAPEC-42: MIME Conversion MIME Conversion CAPEC-43: Exploiting Multiple Input Interpretation Layers Exploiting Multiple Input Interpretation Layers CAPEC-45: Buffer Overflow via Symbolic Links Buffer Overflow via Symbolic Links CAPEC-46: Overflow Variables and Tags Overflow Variables and Tags CAPEC-47: Buffer Overflow via Parameter Expansion Buffer Overflow via Parameter Expansion CAPEC-51: Poison Web Service Registry Poison Web Service Registry CAPEC-52: Embedding NULL Bytes Embedding NULL Bytes CAPEC-53: Postfix, Null Terminate, and Backslash Postfix, Null Terminate, and Backslash CAPEC-64: Using Slashes and URL Encoding Combined to Bypass Validation Logic Using Slashes and URL Encoding Combined to Bypass Validation Logic CAPEC-67: String Format Overflow in syslog() String Format Overflow in syslog() CAPEC-71: Using Unicode Encoding to Bypass Validation Logic Using Unicode Encoding to Bypass Validation Logic CAPEC-72: URL Encoding URL Encoding CAPEC-76: Manipulating Web Input to File System Calls Manipulating Web Input to File System Calls CAPEC-78: Using Escaped Slashes in Alternate Encoding Using Escaped Slashes in Alternate Encoding CAPEC-79: Using Slashes in Alternate Encoding Using Slashes in Alternate Encoding CAPEC-80: Using UTF-8 Encoding to Bypass Validation Logic Using UTF-8 Encoding to Bypass Validation Logic CAPEC-83: XPath Injection XPath Injection CAPEC-84: XQuery Injection XQuery Injection CAPEC-101: Server Side Include (SSI) Injection Server Side Include (SSI) Injection CAPEC-105: HTTP Request Splitting HTTP Request Splitting CAPEC-108: Command Line Execution through SQL Injection Command Line Execution through SQL Injection CAPEC-120: Double Encoding Double Encoding CAPEC-135: Format String Injection Format String Injection CAPEC-250: XML Injection XML Injection CAPEC-267: Leverage Alternate Encoding Leverage Alternate Encoding CAPEC-273: HTTP Response Smuggling HTTP Response Smuggling

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-49099 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2026-49099 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Translated by [email protected]

    Jul. 06, 2026

    Action Type Old Value New Value
    Added Translation Title: , Description: Neutralización incorrecta de elementos especiales en la salida utilizada por un componente posterior (inyección), vulnerabilidad que permite eludir la autorización mediante una clave controlada por el usuario en el componente Apache Camel para Salesforce. El productor camel-salesforce resuelve sus parámetros de funcionamiento —la consulta SOQL, la búsqueda SOSL, el nombre y el identificador del SObject de destino, la URL y el método REST de Apex, y los parámetros de consulta de Apex— a partir de los encabezados de los mensajes de Exchange, dando prioridad a la lectura del encabezado frente al valor configurado en el punto final (AbstractSalesforceProcessor.getParameter() lee primero el encabezado y utiliza la configuración del punto final solo como alternativa). Las constantes de los encabezados de control en SalesforceEndpointConfig (por ejemplo, SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod y el prefijo apexQueryParam. prefijo) utilizaban valores simples, sin prefijo Camel. Dado que estos nombres no comienzan con el prefijo Camel / camel, HttpHeaderFilterStrategy —que bloquea únicamente el espacio de nombres de encabezados Camel en el límite HTTP— permitía que pasaran directamente desde una solicitud HTTP entrante al Exchange. En una ruta que conecta a un consumidor HTTP (por ejemplo, platform-http) con un salesforce: cualquier cliente HTTP podría, por lo tanto, establecer estos encabezados y anular lo que la ruta pretendía: proporcionar su propia consulta SOQL o búsqueda SOSL para leer datos de cualquier SObject al que pueda acceder el usuario de Salesforce conectado, anular el nombre y el ID del SObject de destino para operaciones CRUD, o redirigir una llamada REST de Apex a un punto final y un método HTTP diferentes (incluidos métodos destructivos) con parámetros de consulta inyectados. Todas estas operaciones se ejecutan con todos los permisos del usuario conectado a Salesforce (de integración), que suelen ser amplios. El atacante no necesita credenciales cuando el consumidor puente no está autenticado. Este problema afecta a Apache Camel: desde la versión 4.0.0 hasta la 4.14.8, desde la 4.15.0 hasta la 4.18.3 y desde la 4.19.0 hasta la 4.21.0. Se recomienda a los usuarios que actualicen a la versión 4.21.0, que corrige el problema. Si los usuarios utilizan las versiones LTS de la rama 4.14.x, se les sugiere que actualicen a la 4.14.8. Si los usuarios utilizan las versiones de la rama 4.18.x, se les sugiere que actualicen a la 4.18.3. Tras la actualización, las rutas que configuren los parámetros de operación de Salesforce mediante los nombres de encabezado sin formato deben utilizar los nombres CamelSalesforce* (por ejemplo, CamelSalesforceSObjectQuery y CamelSalesforceApexUrl) en lugar de los antiguos valores sObject* / apex*; la ortografía de las opciones de punto final no ha cambiado. En el caso de las implementaciones que no puedan actualizarse de inmediato, elimine los encabezados de control de Salesforce de cualquier entrada no fiable antes del productor salesforce: (por ejemplo, removeHeaders(“sObject*”) y removeHeaders(“apex*”) al inicio de la ruta) y configure los parámetros de consulta, SObject y Apex a partir de una fuente fiable.
  • New CVE Received by [email protected]

    Jul. 06, 2026

    Action Type Old Value New Value
    Added Affected [{'vendor': 'Apache Software Foundation', 'product': 'Apache Camel Salesforce', 'versions': [{'status': 'affected', 'version': '4.0.0', 'lessThan': '4.14.8', 'versionType': 'semver'}, {'status': 'affected', 'version': '4.15.0', 'lessThan': '4.18.3', 'versionType': 'semver'}, {'status': 'affected', 'version': '4.19.0', 'lessThan': '4.21.0', 'versionType': 'semver'}], 'packageName': 'org.apache.camel:camel-salesforce', 'collectionURL': 'https://repo.maven.apache.org/maven2', 'defaultStatus': 'unaffected'}]
    Added Description Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection'), Authorization Bypass Through User-Controlled Key vulnerability in Apache Camel Salesforce Component. The camel-salesforce producer resolves its operation parameters - the SOQL query, the SOSL search, the target SObject name and id, the Apex REST URL and method, and the Apex query parameters - from Exchange message headers, reading the header in preference to the value configured on the endpoint (AbstractSalesforceProcessor.getParameter() reads the header first and uses the endpoint configuration only as a fallback). The control-header constants in SalesforceEndpointConfig (for example SOBJECT_QUERY = sObjectQuery, SOBJECT_SEARCH = sObjectSearch, SOBJECT_NAME = sObjectName, SOBJECT_ID = sObjectId, APEX_URL = apexUrl, APEX_METHOD = apexMethod, and the apexQueryParam. prefix) used plain, non-Camel-prefixed values. Because these names do not start with the Camel / camel prefix, HttpHeaderFilterStrategy - which blocks only the Camel header namespace on the HTTP boundary - let them pass from an inbound HTTP request straight into the Exchange. In a route that bridges an HTTP consumer (for example platform-http) into a salesforce: producer, any HTTP client could therefore set these headers and override what the route intended - supplying its own SOQL query or SOSL search to read data from any SObject the connected Salesforce user can access, overriding the target SObject name and id for CRUD operations, or redirecting an Apex REST call to a different endpoint and HTTP method (including destructive methods) with injected query parameters. All such operations run with the full permissions of the Salesforce connected (integration) user, which is typically broad. No credentials are required from the attacker when the bridging consumer is unauthenticated. This issue affects Apache Camel: from 4.0.0 before 4.14.8, from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.8. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. After upgrading, routes that set Salesforce operation parameters via the raw header names must use the CamelSalesforce* names (for example CamelSalesforceSObjectQuery and CamelSalesforceApexUrl) instead of the old sObject* / apex* values; the endpoint-option spelling is unchanged. For deployments that cannot upgrade immediately, strip the Salesforce control headers from any untrusted ingress before the salesforce: producer (for example removeHeaders('sObject*') and removeHeaders('apex*') at the start of the route), and set the query, SObject and Apex parameters from a trusted source.
    Added CWE CWE-74
    Added CWE CWE-639
    Added Reference https://camel.apache.org/security/CVE-2026-49099.html
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.