CVE-2026-23552: Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm

February 23, 2026 (updated February 25, 2026)

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.

The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the issue.

References

camel.apache.org/security/CVE-2026-23552.html
github.com/advisories/GHSA-c3f3-cc42-xr9v
github.com/apache/camel
github.com/apache/camel/commit/c1ed776e3a4fa23d15acf4b9a48fdf758d4316ff
github.com/oscerd/CVE-2026-23552
issues.apache.org/jira/browse/CAMEL-22854
nvd.nist.gov/vuln/detail/CVE-2026-23552

Code Behaviors & Features

Detect and mitigate CVE-2026-23552 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →