Impact
The vulnerability allows a client to present an expired or not‑yet‑valid Keycloak access token to a Camel route and be granted authentication. The library verifies only signature, subject, and issuer but omits the IS_ACTIVE predicate that checks the exp and nbf claims, so expired tokens are treated as valid, enabling unauthorized access or privilege escalation. This constitutes an authentication bypass flaw (CWE‑613).
Affected Systems
Apache Camel Camel‑Keycloak component, versions 4.18.0 through 4.18.2 and 4.19.0 through 4.20.x are affected. The upstream default TokenVerifier.withDefaultChecks() is not invoked as the helper builds its check list manually. Users running these affected releases must upgrade to a fixed version.
Risk and Exploitability
The EPSS score indicates that the probability of exploitation is very low (under 1 %) and the vulnerability is not listed in CISA's KEV catalog. The CVSS score of 9.8 indicates a critical severity. However, if an attacker gains the ability to supply or modify an access token, they can bypass authentication controls and potentially access protected resources. The likely attack vector is remote, through any client that can send an HTTP request containing an expired token to a Camel endpoint. Proper validation of exp and nbf or tighter token lifetimes are required until a patch is applied.
OpenCVE Enrichment