Apache Camel security advisory: CVE-2026-23552

Severity

HIGH

Summary

Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance in KeycloakSecurityPolicy

Versions affected

From 4.15.0 before 4.18.0.

Versions fixed

4.18.0

Description

The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.

Notes

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-22854 refers to the various commits that resolved the issue, and have more details.

Mitigation

Users are recommended to upgrade to version 4.18.0, which fixes the issue.

Credit

This issue was discovered by Andrea Cosentino from Apache Software Foundation

References

PGP signed advisory data: CVE-2026-23552.txt.asc
Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-23552
Edit this Page Back to top