Apache Camel security advisory: CVE-2026-53913
Severity
HIGHSummary
Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypassVersions affected
From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0.Versions fixed
4.18.3 and 4.21.0Description
The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and issuer for token introspection) is performed exclusively inside those role and permission checks. KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty - which is the documented 'Basic Setup' - so on a route configured that way the role and permission checks are skipped and the access token is therefore never verified. The token-presence check still rejects a missing token, but an invalid token is accepted: any non-null value in the Authorization: Bearer header - including an arbitrary string or a forged, unsigned JWT - passes the policy and the request reaches the protected route, with no signature, issuer or expiry check and no request to Keycloak. The token is read from the inbound request header because allowTokenFromHeader defaults to true. Because the normal reason to place a route behind this policy is that the route performs server-side work, the bypass results in unauthenticated access to that work; where the protected route forwards to a code-execution-capable producer, it can result in unauthenticated remote code execution. This defect is independent of CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a check inside the verification routine, but here the verification routine is not reached at all in the default configuration, so the defect remains.Notes
The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23738 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23958 (commit 1477cb4e87b2c301f1cdcddca5b153fbbef6934b) and backported to camel-4.18.x (commit b62170072348cc4073ddf705ad716aa3678d6c09). The fix makes KeycloakSecurityProcessor.beforeProcess() always authenticate the access token when one is present, independently of whether roles or permissions are configured; the role and permission checks now run only after authentication, and an invalid or unverifiable token is rejected the same way as a missing token. The issue is a fail-open authentication bypass, classified as CWE-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function) and CWE-636 (Not Failing Securely): the routine that verifies the token’s signature, issuer and expiry was invoked only from the role and permission checks, which are skipped when requiredRoles and requiredPermissions are both empty (the default ‘Basic Setup’), so the token was never verified in that configuration. It is independent of and upstream of CVE-2026-23552, which added an issuer check inside the verification routine that is not reached on the no-roles/no-permissions path. The camel-keycloak component was introduced in 4.15.0, so the 4.14.x release line does not include it and is not affected.
Mitigation
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at the framework layer ahead of the policy.Credit
This issue was discovered by Lidor Ben Shitrit from Novee SecurityReferences
- PGP signed advisory data: CVE-2026-53913.txt.asc
- Mitre CVE Entry: https://www.cve.org/CVERecord?id=CVE-2026-53913