Critical severityNVD Advisory· Published Feb 23, 2026· Updated Feb 23, 2026
Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy
CVE-2026-23552
Description
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.
The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.camel:camel-keycloakMaven | >= 4.15.0, < 4.18.0 | 4.18.0 |
Affected products
2Patches
Vulnerability mechanics
References
6- camel.apache.org/security/CVE-2026-23552.htmlghsavendor-advisoryWEB
- github.com/advisories/GHSA-c3f3-cc42-xr9vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-23552ghsaADVISORY
- www.openwall.com/lists/oss-security/2026/02/18/7ghsaWEB
- github.com/apache/camel/commit/c1ed776e3a4fa23d15acf4b9a48fdf758d4316ffghsaWEB
- issues.apache.org/jira/browse/CAMEL-22854ghsaWEB
News mentions
0No linked articles in our index yet.