CVE-2026-23552 Overview
A critical authentication bypass vulnerability has been identified in the Apache Camel Keycloak component's KeycloakSecurityPolicy. The vulnerability stems from improper validation of JWT tokens, specifically failing to verify the iss (issuer) claim against the configured Keycloak realm. This flaw allows tokens issued by one Keycloak realm to be silently accepted by policies configured for entirely different realms, effectively breaking multi-tenant isolation and security boundaries.
This vulnerability is classified under CWE-346 (Origin Validation Error), indicating a failure to properly validate the origin of data. In multi-tenant environments where different realms represent separate security domains, this vulnerability can lead to unauthorized cross-tenant access and data exposure.
Critical Impact
Attackers can use tokens from one Keycloak realm to authenticate against services configured for different realms, completely bypassing tenant isolation and potentially gaining unauthorized access to protected resources across security boundaries.
Affected Products
- Apache Camel versions 4.15.0 through 4.17.x (prior to 4.18.0)
- Apache Camel Keycloak component (camel-keycloak)
- Deployments using KeycloakSecurityPolicy for JWT validation
Discovery Timeline
- 2026-02-23 - CVE-2026-23552 published to NVD
- 2026-02-26 - Last updated in NVD database
Technical Details for CVE-2026-23552
Vulnerability Analysis
The vulnerability resides in the KeycloakSecurityPolicy class within the Apache Camel Keycloak component. When processing incoming JWT tokens, the security policy performs standard token validation checks such as signature verification and expiration validation. However, it critically omits verification of the iss (issuer) claim against the expected realm URL configured in the policy.
In a properly functioning implementation, the issuer claim should match the Keycloak realm URL (typically in the format https://<keycloak-host>/realms/<realm-name>). Without this validation, a valid token from any Keycloak realm on the same identity provider—or even a different Keycloak instance entirely—will pass validation checks.
The impact is particularly severe in multi-tenant architectures where different customers or organizational units are segregated into separate Keycloak realms. An attacker with legitimate access to one realm can forge requests to services protected by a different realm's policy, achieving unauthorized cross-tenant access.
Root Cause
The root cause is the absence of issuer claim validation in the JWT token processing logic within KeycloakSecurityPolicy. The component validates the token signature and standard claims but fails to verify that the token's issuer matches the expected Keycloak realm configured for the protected resource. This is a classic Origin Validation Error (CWE-346) where the source of authentication data is not properly verified.
Attack Vector
The attack can be executed remotely over the network without requiring any privileges or user interaction. An attacker needs:
- A valid JWT token from any Keycloak realm (including one they legitimately control or have access to)
- Network access to an Apache Camel endpoint protected by KeycloakSecurityPolicy
- Knowledge of the target endpoint URL
The attacker simply presents their valid token from Realm A to an endpoint configured to accept tokens from Realm B. Due to the missing issuer validation, the token passes all security checks and grants the attacker access to resources they should not be able to reach.
The attack requires no special tooling—standard HTTP requests with a JWT bearer token are sufficient to exploit this vulnerability. In cloud environments or shared Keycloak deployments, this significantly lowers the barrier to exploitation.
Detection Methods for CVE-2026-23552
Indicators of Compromise
- JWT tokens with iss claims that do not match the expected Keycloak realm URL appearing in application logs
- Successful authentication events where the token issuer differs from the configured realm
- Unusual cross-tenant access patterns or data access from unexpected source realms
- Authentication audit logs showing realm mismatches between token origin and service configuration
Detection Strategies
- Implement centralized logging of JWT token claims, particularly the iss field, for all Camel-Keycloak protected endpoints
- Create correlation rules to detect tokens with issuer claims that do not match the expected realm configuration
- Monitor for authentication successes where the token's iss claim domain or realm path differs from expected values
- Deploy network-level monitoring to identify anomalous authentication patterns across tenant boundaries
Monitoring Recommendations
- Enable detailed authentication logging in Apache Camel applications to capture full JWT token metadata
- Configure SIEM alerts for any authentication events where the issuer claim validation would have failed
- Establish baseline patterns for normal cross-service authentication and alert on deviations
- Implement audit logging that records both the configured realm and the actual token issuer for forensic analysis
How to Mitigate CVE-2026-23552
Immediate Actions Required
- Upgrade Apache Camel to version 4.18.0 or later, which includes the fix for this vulnerability
- Audit all deployments using camel-keycloak component to identify affected services
- Review authentication logs for any evidence of cross-realm token acceptance
- Consider implementing additional API gateway-level issuer validation as defense-in-depth
Patch Information
Apache has released version 4.18.0 which addresses this vulnerability by implementing proper issuer claim validation in the KeycloakSecurityPolicy. Users running Apache Camel versions 4.15.0 through 4.17.x should upgrade immediately. The security advisory with full details is available at the Apache Camel Security Advisory.
Additional technical resources are available through the GitHub CVE-2026-23552 Repository and the OpenWall OSS-Security Discussion.
Workarounds
- Implement a custom token validator that explicitly checks the iss claim before processing requests
- Deploy an API gateway or reverse proxy that validates JWT issuer claims before forwarding requests to Camel endpoints
- Use network segmentation to limit exposure between different tenant environments until patching is complete
- Consider temporarily disabling KeycloakSecurityPolicy and using alternative authentication mechanisms for critical endpoints
# Upgrade Apache Camel to patched version
# Maven dependency update in pom.xml
# Change: <camel.version>4.15.0</camel.version>
# To: <camel.version>4.18.0</camel.version>
# Gradle users update build.gradle
# Change: implementation 'org.apache.camel:camel-keycloak:4.15.0'
# To: implementation 'org.apache.camel:camel-keycloak:4.18.0'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
