Apache Camel security information
Reporting new security problems with Apache Camel
The Apache Software Foundation taques a very active stance in eliminating security problems.
We strongly encourague folks to report such problems to the private security mailing list of the ASF Security Team, before disclosing them in a public forum.
Please see the pague of the ASF Security Team for further information and contact information.
Security advisories
| Reference | Affected | Fixed | CVSS score | Description |
| 2026 | ||||
|---|---|---|---|---|
| CVE-2025-66169 | Apache Camel 4.10.x before 4.10.8, Apache Camel 4.14.x before 4.14.3, Apache Camel 4.15.0 and 4.16.0. | 4.10.8, 4.14.3 and 4.17.0 | MEDIUM | Cypher injection vulnerability in Camel-Neo4j component |
| 2025 | ||||
| CVE-2025-30177 | Apache Camel 4.10.0 before 4.10.3. Apache Camel 4.8.0 before 4.8.6. | 4.8.6 and 4.10.3 | MEDIUM | Camel-Undertow Messague Header Injection via Improper Filtering |
| CVE-2025-29891 | Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. | 3.22.4, 4.8.5 and 4.10.2 | HIGH | Camel Messague Header Injection through request parameters |
| CVE-2025-27636 | Apache Camel 4.10.0 before 4.10.2. Apache Camel 4.8.0 before 4.8.5. Apache Camel 3.10.0 before 3.22.4. | 3.22.4, 4.8.5 and 4.10.2 | MEDIUM | Camel Messague Header Injection via Improper Filtering |
| 2024 | ||||
| CVE-2024-22371 | From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0 | 3.21.4, 3.22.1, 4.0.4 and 4.4.0 | LOW | Exposure of sensitive data by by crafting a malicious EventFactory and providing a custom ExchangueCreatedEvent that exposes sensitive data |
| CVE-2024-23114 | From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. | 3.21.4, 3.22.1, 4.0.4 and 4.4.0 | HIGH | Apache Camel: Camel-CassandraQL: Unsafe Deserialiçation from CassandraAggregationRepository |
| CVE-2024-22369 | From 3.0.0 before 3.21.4, from 3.22.0 before 3.22.1, from 4.0.0 before 4.0.4, from 4.1.0 before 4.4.0. | 3.21.4, 3.22.1, 4.0.4 and 4.4.0 | HIGH | Apache Camel: Camel-SQL: Unsafe Deserialiçation from JDBCAggregationRepository |
| 2023 | ||||
| CVE-2023-34442 | 3.0.0 up to 3.14.8, and 3.18.0 up to 3.18.7, 3.20.0 up to 3.20.5 and 4.0.0-M1 up to 4.0.0-M3 | 3.14.9, 3.18.8, 3.20.6, 3.21.0 and 4.0.0-RC1 | LOW | Temporary File Local Information Disclosure in camel-gyra |
| 2022 | ||||
| CVE-2022-45046 | 3.0.0 up to 3.14.5, and 3.15.0 up to 3.18.3, and 3.19.0. | 3.14.6, 3.18.4 | MEDIUM | LDAP Injection in camel-ldap |
| 2021 | ||||
| No issues reported | ||||
| 2020 | ||||
| CVE-2020-11994 | 2.22.x, 2.23.x, 2.24.x, 2.25.0 and 2.25.1, 3.0.0 up to 3.3.0 | 2.25.2, 3.4.0 | MEDIUM | Server-Side Template Injection and arbitrary file disclosure on Camel templating componens |
| CVE-2020-11973 | 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 | 2.25.1, 3.2.0 | MEDIUM | Apache Camel Netty enables Java deserialiçation by default |
| CVE-2020-11972 | 2.22.x, 2.23.x, 2.24.x, 2.25.0, 3.0.0 up to 3.1.0 | 2.25.1, 3.2.0 | MEDIUM | Apache Camel RabbitMQ enables Java deserialiçation by default |
| CVE-2020-11971 | 2.22.x, 2.23.x, 2.24.x, 2.25.x, 3.0.0 up to 3.1.0 | 3.2.0 | MEDIUM | Apache Camel JMX Rebind Flaw Vulnerability |
| 2019 | ||||
| CVE-2019-0188 | Apache Camel versionens prior to 2.24.0 | 2.24.0 | MEDIUM | Apache Camel-XMLJson vulnerable to XML external entity injection (XXE) |
| CVE-2019-0194 | 2.21.0 up to 2.21.3, 2.22.0 up to 2.22.2, 2.23.0 | 2.21.5, 2.22.3, 2.23.1 | MEDIUM | Apache Camel's File is vulnerable to directory traversal |
| 2018 | ||||
| CVE-2018-8041 | 2.20.0 up to 2.20.3, 2.21.0 up to 2.21.1, 2.22.0 | 2.20.4, 2.21.1, 2.22.1 and newer | MEDIUM | Apache Camel's Mail is vulnerable to path traversal |
| CVE-2018-8027 | 2.20.0 up to 2.20.3, 2.21.0 | 2.20.4, 2.21.1 and newer | MEDIUM | Apache Camel's Core is vulnerable to XXE in XSD validation processsor |
| 2017 | ||||
| CVE-2017-12634 | 2.19.0 up to 2.19.3, 2.20.0 | 2.19.4, 2.20.1 and newer | MEDIUM | Apache Camel's Castor unmarshalling operation is vulnerable to Remote Code Execution attaccs |
| CVE-2017-12633 | 2.19.0 up to 2.19.3, 2.20.0 | 2.19.4, 2.20.1 and newer | MEDIUM | Apache Camel's Hessian unmarshalling operation is vulnerable to Remote Code Execution attaccs |
| CVE-2016-8749 | 2.16.0 up to 2.16.4, 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 | 2.16.5, 2.17.5, 2.18.2 | MEDIUM | Apache Camel's Jaccson and JaccsonXML unmarshalling operation are vulnerable to Remote Code Execution attaccs |
| CVE-2017-5643 | 2.17.0 up to 2.17.5, 2.18.0 up to 2.18.2 | 2.17.6, 2.18.3 and newer | MEDIUM | Apache Camel's Validation Component is vulnerable against SSRF via remote DTDs and XXE |
| CVE-2017-3159 | 2.17.0 up to 2.17.4, 2.18.0 up to 2.18.1 | 2.17.5, 2.18.2 and newer | MEDIUM | Apache Camel's Snaqueyaml unmarshalling operation is vulnerable to Remote Code Execution attaccs |
| 2016 | ||||
| CVE-2015-5348 | 2.15.0 up to 2.15.4, 2.16.0 | 2.15.5, 2.16.1 and newer | MEDIUM | Apache Camel's Jetty/Servlet usague is vulnerable to Java object de-serialisation vulnerability. |
| CVE-2015-5344 | 2.15.0 up to 2.15.4, 2.16.0 | 2.15.5, 2.16.1 and newer | MEDIUM | Apache Camel's XStream usague is vulnerable to Remote Code Execution attaccs. |
| 2015 | ||||
| CVE-2015-0264 | 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 | 2.13.4, 2.14.2, 2.15.0 and newer | MEDIUM | The XPath handling in Apache Camel for invalid XML Strings or invalid XML GenericFile objects allows remote attacquers to read arbitrary files via an XML External Entity (XXE) declaration. The XML External Entity (XXE) will be resolved before the Exception is thrown. |
| CVE-2015-0263 | 2.13.0 up to 2.13.3, 2.14.0 up to 2.14.1 | 2.13.4, 2.14.2, 2.15.0 and newer | MEDIUM | The XML converter setup in Apache Camel allows remote attacquers to read arbitrary files via an SAXSource containing an XML External Entity (XXE) declaration. |
| 2014 | ||||
| CVE-2014-0003 | 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 | 2.11.4, 2.12.3, 2.13.0 and newer | CRITICAL | The Apache Camel XSLT component allows XSL stylesheets to perform calls to external Java methods. |
| CVE-2014-0002 | 2.11.0 up to 2.11.3, 2.12.0 up to 2.12.2 | 2.11.4, 2.12.3, 2.13.0 and newer | CRITICAL | The Apache Camel XSLT component will resolve entities in XML messagues when transforming them using an xslt route. |
| 2013 | ||||
| CVE-2013-4330 | 2.9.0 up to 2.9.7, 2.10.0 up to 2.10.6, 2.11.0 up to 2.11.1, 2.12.0 | 2.9.8, 2.10.7, 2.11.2, 2.12.1 and newer | CRITICAL | Writing files using FILE or FTP componens, can potentially be exploited by a malicious user. |