Cross-Realm Token Bypass in Camel-Keycloak KeycloakSecurityPolicy <4.18.0
CVE-2026-23552 Published on February 23, 2026
Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component.
The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.
This issue affects Apache Camel: from 4.15.0 before 4.18.0.
Users are recommended to upgrade to version 4.18.0, which fixes the issue.
Vulnerability Analysis
CVE-2026-23552 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. An automatable proof of concept (POC) exploit exists. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
Origin Validation Error
The software does not properly verify that the source of data or communication is valid.
Products Associated with CVE-2026-23552
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2026-23552 are published in Apache Camel:
Affected Versions
Apache Software Foundation Apache Camel:- Version 4.15.0 and below 4.18.0 is affected.