Severity: moderate 

Affected versions:

- Apache Camel (org.apache.camel:camel-keycloak) 4.18.0 before 4.18.3
- Apache Camel (org.apache.camel:camel-keycloak) 4.19.0 before 4.21.0

Description:

Insufficient Session Expiration vulnerability in Apache Camel Keycloak 
Component.

The camel-keycloak security helper 
KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak 
TokenVerifier using withChecks(...) with only the subject-exists check and the 
realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to 
an initially empty check list - the upstream default checks are installed only 
when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which 
validates the token's exp (expiration) and nbf (not-before) claims, is never 
applied. As a result the helper verifies the token signature, subject and 
issuer but does not enforce the token's validity window: an access token that 
is expired, or not yet valid, is accepted as valid. Routes that rely on this 
helper to authenticate inbound requests therefore accept access tokens that are 
outside their intended lifetime.
This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 
4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If 
users are on the 4.18.x releases stream, then they are suggested to upgrade to 
4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include 
the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access 
tokens are rejected, aligning the helper with Keycloak's default check set. For 
deployments that cannot upgrade immediately, enforce token expiration outside 
the helper - for example validate the access token's exp/nbf claims in the 
route before trusting it, keep Keycloak access-token lifetimes short, and 
ensure any upstream gateway or resource server also validates the token 
validity window.

Credit:

Yu Bao from Paypal (finder)
Andrea Cosentino from Apache Software Foundation (finder)

References:

https://camel.apache.org/security/CVE-2026-46455.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-46455

Reply via email to