Improperly Controlled Modification of Dynamically-Determined Object Attributes Affecting org.apache.camel:camel-nats package, versions [4.0.0,4.14.8)[4.15.0,4.18.3)[4.19.0,4.21.0)


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.42% (35th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JAVA-ORGAPACHECAMEL-17879236
  • published7 Jul 2026
  • disclosed6 Jul 2026
  • creditYu Bao

Introduced: 6 Jul 2026

NewCVE-2026-46457  (opens in a new tab)
CWE-915  (opens in a new tab)

How to fix?

Upgrade org.apache.camel:camel-nats to version 4.14.8, 4.18.3, 4.21.0 or higher.

Overview

Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes via the NatsConsumer process. An attacker can manipulate downstream producer behavior by injecting arbitrary control headers into messages published to the NATS subject. This can result in actions such as redirecting HTTP producers, changing file names, or overriding queries by supplying specially crafted headers. The injected headers persist across internal direct, seda, and vm hops. This is only exploitable if the NATS server is configured without authentication and NATS 2.2 or later is used.

Workaround

This vulnerability can be mitigated by stripping Camel control headers from inbound NATS messages before they reach any downstream producer (for example, using removeHeaders('Camel*') and removeHeaders('camel*') at the start of the route), and by enabling authentication on the NATS server so that only trusted clients can publish to the consumed subject.

CVSS Base Scores

version 4.0
version 3.1