CVE-2026-23552 — Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens agai

Description

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue.

How to fix CVE-2026-23552

To remediate CVE-2026-23552, upgrade the affected package to a fixed version below.

—upgrade to 4.18.0 or later

Is CVE-2026-23552 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.15.0, < 4.18.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.1	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-23552
PATCHgithub.com/apache/camel
WEBcamel.apache.org/security/CVE-2026-23552.html
WEBgithub.com/apache/camel/commit/c1ed776e3a4fa23d15acf4b9a48fdf758d4316ff
WEB