CVE-2026-23552

Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy

Assigner: apache
Reserved: 14.01.2026 Published: 23.02.2026 Updated: 23.02.2026

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.

The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Camel
Versions	Default: unaffected affected from 4.15.0 to 4.18.0 (excl.)

Vendor

Apache Software Foundation

Product

Apache Camel

Versions

Default: unaffected

affected from 4.15.0 to 4.18.0 (excl.)

Credits

Andrea Cosentino finder
Andrea Cosentino remediation developer

References

Problem Types

CWE-346 Origin Validation Error CWE

CVE-2026-23552 PUBLISHED

Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy

Product Status

Credits

References

Problem Types