Severity: important
Affected versions:
- Apache Camel (org.apache.camel:camel-keycloak) 4.15.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-keycloak) 4.19.0 before 4.21.0
Description:
Improper Authentication, Missing Authentication for Critical Function, Not
Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak
Component.
The KeycloakSecurityPolicy of camel-keycloak guards a route by running
KeycloakSecurityProcessor.beforeProcess(), which performs three checks in
sequence: it rejects a request that carries no access token, then - only if
requiredRoles is non-empty - validates the roles, and - only if
requiredPermissions is non-empty - validates the permissions. The actual
cryptographic verification of the bearer access token (signature, issuer and
expiry for a local JWT, or active-state and issuer for token introspection) is
performed exclusively inside those role and permission checks.
KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty
- which is the documented 'Basic Setup' - so on a route configured that way the
role and permission checks are skipped and the access token is therefore never
verified. The token-presence check still rejects a missing token, but an
invalid token is accepted: any non-null value in the Authorization: Bearer
header - including an arbitrary string or a forged, unsigned JWT - passes the
policy and the request reaches the protected route, with no signature, issuer
or expiry check and no request to Keycloak. The token is read from the inbound
request header because allowTokenFromHeader defaults to true. Because the
normal reason to place a route behind this policy is that the route performs
server-side work, the bypass results in unauthenticated access to that work;
where the protected route forwards to a code-execution-capable producer, it can
result in unauthenticated remote code execution. This defect is independent of
CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a
check inside the verification routine, but here the verification routine is not
reached at all in the default configuration, so the defect remains.
This issue affects Apache Camel: from 4.15.0 before 4.18.3, from 4.19.0 before
4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If
users are on the 4.18.x releases stream, then they are suggested to upgrade to
4.18.3. For deployments that cannot upgrade immediately, configure a non-empty
requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that
the token-verification path is exercised, set allowTokenFromHeader to false
where the token is not expected from the request header, or perform token
verification at the framework layer ahead of the policy.
Credit:
Lidor Ben Shitrit from Novee Security (finder)
Andrea Cosentino (remediation developer)
References:
https://camel.apache.org/security/CVE-2026-53913.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-53913