# [CRIT] [GHSA / CRITICAL] CVE-2026-47323: Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering **Source:** GitHub Security Advisories **Published:** 2026-05-19 **Article:** https://github.com/advisories/GHSA-8364-hfqj-pwm6 ## Threat Profile Camel-CXF and Camel-Knative Message Header are Vulnerable to Injection via Missing Inbound Filtering Camel-CXF and Camel-Knative Message Header Injection via Missing Inbound Filtering The CXF and Knative HeaderFilterStrategy implementations (CxfRsHeaderFilterStrategy in camel-cxf-rest, CxfHeaderFilterStrategy in camel-cxf-transport, and KnativeHttpHeaderFilterStrategy in camel-knative-http) only filter outbound Camel-internal headers via setOutFilterStartsWith, while not configuring inbound fi… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47323` - **CVE:** `CVE-2025-30177` - **CVE:** `CVE-2025-27636` - **CVE:** `CVE-2025-29891` - **CVE:** `CVE-2026-40453` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1059** — Command and Scripting Interpreter - **T1059.001** — PowerShell - **T1059.003** — Windows Command Shell - **T1059.004** — Unix Shell - **T1505.003** — Web Shell - **T1547.001** — Registry Run Keys / Startup Folder - **T1098.004** — SSH Authorized Keys ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Inbound HTTP request with Camel-internal header or query param to CXF/Knative endpoint (CVE-2026-47323) `UC_259_1` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.url) as url values(Web.http_method) as http_method values(Web.http_user_agent) as ua values(Web.src) as src values(Web.dest) as dest from datamodel=Web.Web where (Web.url="*CamelExecCommandExecutable*" OR Web.url="*CamelFileName*" OR Web.url="*CamelExecCommandArgs*" OR Web.url="*CamelExecCommandWorkingDir*" OR Web.url="*CamelFileAbsolutePath*" OR Web.url="*CamelHttpQuery*" OR Web.http_user_agent="*CamelExecCommandExecutable*" OR Web.http_referrer="*CamelExecCommandExecutable*") by Web.dest Web.src Web.url Web.http_method Web.http_user_agent | `drop_dm_object_name(Web)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(24h) | where RemotePort in (80, 443, 8080, 8443, 9000, 9080, 9443) | where AdditionalFields has_any ("CamelExecCommandExecutable", "CamelFileName", "CamelExecCommandArgs", "CamelExecCommandWorkingDir", "CamelFileAbsolutePath", "CamelHttpQuery") or RemoteUrl has_any ("CamelExecCommandExecutable", "CamelFileName", "CamelExecCommandArgs") | where InitiatingProcessFileName in~ ("java.exe", "java", "javaw.exe") or InitiatingProcessCommandLine has_any ("camel", "cxf", "knative") | project Timestamp, DeviceName, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, AdditionalFields | order by Timestamp desc ``` ### Apache Camel JVM spawning shell or command interpreter via camel-exec (CVE-2026-47323 post-exploit) `UC_259_2` · phase: **install** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_path) as child_path values(Processes.parent_process) as parent_cmdline values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name="java.exe" OR Processes.parent_process_name="javaw.exe" OR Processes.parent_process_name="java") (Processes.process_name="cmd.exe" OR Processes.process_name="powershell.exe" OR Processes.process_name="pwsh.exe" OR Processes.process_name="sh" OR Processes.process_name="bash" OR Processes.process_name="dash" OR Processes.process_name="wscript.exe" OR Processes.process_name="cscript.exe" OR Processes.process_name="rundll32.exe" OR Processes.process_name="certutil.exe" OR Processes.process_name="bitsadmin.exe" OR Processes.process_name="curl.exe" OR Processes.process_name="wget") (Processes.parent_process="*camel*" OR Processes.parent_process="*cxf*" OR Processes.parent_process="*knative*") by host Processes.parent_process_name Processes.process_name Processes.process Processes.parent_process Processes.user | `drop_dm_object_name(Processes)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("java.exe", "javaw.exe", "java") | where InitiatingProcessCommandLine has_any ("camel", "cxf", "knative", "-jar") | where FileName in~ ("cmd.exe", "powershell.exe", "pwsh.exe", "sh", "bash", "dash", "wscript.exe", "cscript.exe", "rundll32.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget", "mshta.exe", "regsvr32.exe") | where AccountName !endswith "$" | project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessFolderPath, SHA256 | order by Timestamp desc ``` ### Apache Camel JVM writing files to sensitive paths via camel-file (CVE-2026-47323 arbitrary file write) `UC_259_3` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Filesystem.file_path) as path values(Filesystem.file_name) as fname values(Filesystem.process_name) as writer values(Filesystem.user) as user from datamodel=Endpoint.Filesystem where (Filesystem.process_name="java.exe" OR Filesystem.process_name="javaw.exe" OR Filesystem.process_name="java") (Filesystem.file_path="*\\inetpub\\wwwroot\\*" OR Filesystem.file_path="*\\tomcat*\\webapps\\*" OR Filesystem.file_path="*/var/www/*" OR Filesystem.file_path="*/usr/share/nginx/*" OR Filesystem.file_path="*\\Startup\\*" OR Filesystem.file_path="*\\System32\\*" OR Filesystem.file_path="*/etc/cron*" OR Filesystem.file_path="*/.ssh/authorized_keys*" OR Filesystem.file_path="*\\Windows\\Tasks\\*") (Filesystem.file_name="*.jsp" OR Filesystem.file_name="*.jspx" OR Filesystem.file_name="*.war" OR Filesystem.file_name="*.aspx" OR Filesystem.file_name="*.php" OR Filesystem.file_name="*.sh" OR Filesystem.file_name="*.bat" OR Filesystem.file_name="*.ps1" OR Filesystem.file_name="authorized_keys") by host Filesystem.process_name Filesystem.file_path Filesystem.file_name Filesystem.user | `drop_dm_object_name(Filesystem)` | convert ctime(firstTime) ctime(lastTime) ``` **Defender KQL:** ```kql DeviceFileEvents | where Timestamp > ago(7d) | where ActionType in ("FileCreated", "FileModified", "FileRenamed") | where InitiatingProcessFileName in~ ("java.exe", "javaw.exe", "java") | where InitiatingProcessCommandLine has_any ("camel", "cxf", "knative", "-jar") | where (FolderPath has_any ("\\inetpub\\wwwroot\\", "\\webapps\\", "\\htdocs\\", "/var/www/", "/usr/share/nginx/", "\\Startup\\", "\\System32\\", "\\SysWOW64\\", "/etc/cron", "/.ssh/", "\\Windows\\Tasks\\", "\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\")) or (FileName endswith ".jsp" or FileName endswith ".jspx" or FileName endswith ".war" or FileName endswith ".aspx" or FileName endswith ".php" or FileName endswith ".sh" or FileName endswith ".bat" or FileName endswith ".ps1" or FileName =~ "authorized_keys") | project Timestamp, DeviceName, FileName, FolderPath, SHA256, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47323`, `CVE-2025-30177`, `CVE-2025-27636`, `CVE-2025-29891`, `CVE-2026-40453` ## Why this matters Severity classified as **CRIT** based on: CVE present, 4 use case(s) fired, 8 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.