-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- ---
title: "Apache Camel Security Advisory - CVE-2026-23552"
date: 2026-02-17T09:00:00+02:00
url: /security/CVE-2026-23552.html
draft: false
type: security-advisory
cve: CVE-2026-23552
severity: HIGH
summary: "Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance in KeycloakSecurityPolicy"
description: "The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation."
mitigation: "Users are recommended to upgrade to version 4.18.0, which fixes the issue."
credit: "This issue was discovered by Andrea Cosentino from Apache Software Foundation"
affected: From 4.15.0 before 4.18.0.
fixed: 4.18.0
- ---

The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-22854 refers to the various commits that resolved the issue, and have more details.
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmmVfecACgkQ406fOAL/
QQB7AAf+OapX92rNtAzQgkH7wO3Y7gsWscGBQlU3z3qY+kMobyp9tP+n7FRR02Vy
hzyS+xh4bD8HHzXgl+d2dJ8FsQOKeJYqCVCCz0MC020uFL8fY/zJQx91n6CILzZ9
tEsRSZXpcTowmXig67HYaLtDS0P7PDNnJX8ABUPAv9uSnzZUWpdVLrxI78K6xiGq
Rjx4JFIwxXuB+thJStZqu1uv+xb6NezF4Ro/aXiam1Bu7BpujajHicz4naunFhSj
Tzbysxt3rXmrvgXO2jobBWs4fh9WkShoSCjvXGGEvCnOjAxNSAOgkAUNzPzBdmrF
ffM5UxGfAEixgQdg1wLeA1tS9cm2WQ==
=0F8o
-----END PGP SIGNATURE-----