Description
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. 

The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.
This issue affects Apache Camel: from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the issue.
Published: 2026-02-23
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass via Cross-Realm Token Acceptance
Action: Patch
AI Analysis

Impact

Apache Camel’s Camel-Keycloak KeycloakSecurityPolicy fails to verify the issuer claim of JSON Web Tokens. As a result, a token issued by one Keycloak realm can be accepted by a policy configured for a different realm, breaking tenant isolation and allowing an attacker to impersonate a user from another realm. This flaw corresponds to CWE-346, a failure to validate token authenticity, and can lead to unauthorized access to protected resources.

Affected Systems

Apache Camel versions from 4.15.0 up to, but not including, 4.18.0 contain the vulnerability. These releases deploy the KeycloakSecurityPolicy without issuer validation.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical impact on confidentiality, integrity, and availability with a high exploitation complexity. The EPSS score is less than 1%, suggesting a low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote: an attacker can send a crafted HTTP request bearing a malicious JWT from another realm to any Camel route that uses the KeycloakSecurityPolicy, gaining unauthorized access behind the tenancy isolation layer.

Generated by OpenCVE AI on April 18, 2026 at 11:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Camel to version 4.18.0 or later, which includes issuer validation in the KeycloakSecurityPolicy.
  • Verify that all Camel routes using KeycloakSecurityPolicy are configured to accept only tokens from the intended realm by checking the realm configuration and, if necessary, explicitly validating the iss claim in custom policies.
  • Monitor application logs for unexpected token issuers and apply network segmentation to restrict access to the Camel application from untrusted networks.

Generated by OpenCVE AI on April 18, 2026 at 11:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-c3f3-cc42-xr9v Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm
History

Thu, 26 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*

Mon, 23 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache camel
Vendors & Products Apache
Apache camel

Mon, 23 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
References

Mon, 23 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
Description Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.  The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue.
Title Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy
Weaknesses CWE-346
References

Subscriptions

Apache Camel
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-02-23T15:40:59.201Z

Reserved: 2026-01-14T12:27:42.250Z

Link: CVE-2026-23552

cve-icon Vulnrichment

Updated: 2026-02-23T09:21:26.298Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-23T09:17:00.857

Modified: 2026-02-26T16:46:16.643

Link: CVE-2026-23552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T11:15:35Z

Weaknesses