Apache Camel: Unsecured Keycloak Tokens Bypass Tenant Isolation

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.1

Apache Camel: Unsecured Keycloak Tokens Bypass Tenant Isolation

CVE-2026-23552 GHSA-c3f3-cc42-xr9v

Summary

Apache Camel's Keycloak integration fails to verify the source of security tokens, allowing unauthorized users to access protected resources. This affects certain versions of Apache Camel. To fix the issue, update to version 4.18.0 or later.

What to do

Update apache org.apache.camel:camel-keycloak to version 4.18.0.

Affected software

Vendor	Product	Affected versions	Fix available
apache	org.apache.camel:camel-keycloak	> 4.15.0 , <= 4.18.0	4.18.0
apache	camel	> 4.15.0 , <= 4.18.0	–

Original title

Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm

Original description

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.

The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.
This issue affects Apache Camel: from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the issue.

nvd CVSS3.1 9.1

Vulnerability type

CWE-346

https://camel.apache.org/security/CVE-2026-23552.html Vendor Advisory
https://github.com/oscerd/CVE-2026-23552 Exploit Third Party Advisory
http://www.openwall.com/lists/oss-security/2026/02/18/7 Mailing List Third Party Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-23552
https://github.com/apache/camel/commit/c1ed776e3a4fa23d15acf4b9a48fdf758d4316ff
https://issues.apache.org/jira/browse/CAMEL-22854
https://github.com/advisories/GHSA-c3f3-cc42-xr9v

Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026