Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-46455

CVE-2026-46455: Apache Camel Auth Bypass Vulnerability

CVE-2026-46455 is an authentication bypass flaw in Apache Camel Keycloak Component that allows expired tokens to be accepted as valid. This article covers technical details, affected versions, security impact, and mitigation.

Published:

CVE-2026-46455 Overview

CVE-2026-46455 is an Insufficient Session Expiration vulnerability [CWE-613] in the Apache Camel Keycloak component. The KeycloakSecurityHelper.parseAndVerifyAccessToken method builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists and realm-URL (issuer) checks. The built-in IS_ACTIVE predicate that validates the token's exp (expiration) and nbf (not-before) claims is never applied. As a result, routes relying on this helper accept access tokens that are expired or not yet valid. The issue affects Apache Camel from 4.18.0 before 4.18.3, and from 4.19.0 before 4.21.0.

Critical Impact

Attackers can present expired or not-yet-valid Keycloak access tokens to Camel routes and gain authenticated access, effectively bypassing session lifetime enforcement.

Affected Products

  • Apache Camel 4.18.0 through 4.18.2
  • Apache Camel 4.19.0 through 4.20.x
  • Deployments using the camel-keycloak component KeycloakSecurityHelper

Discovery Timeline

  • 2026-07-06 - CVE-2026-46455 published to NVD
  • 2026-07-08 - Last updated in NVD database

Technical Details for CVE-2026-46455

Vulnerability Analysis

The camel-keycloak component provides KeycloakSecurityHelper.parseAndVerifyAccessToken to authenticate inbound requests carrying Keycloak-issued access tokens. The helper constructs a TokenVerifier and calls withChecks(...) passing only the subject-exists check and the realm-URL issuer check.

In Keycloak's TokenVerifier API, withChecks(...) appends predicates to an initially empty check list. The upstream default checks are installed only when withDefaultChecks() is called. Because the helper never invokes withDefaultChecks(), the built-in IS_ACTIVE predicate is omitted from verification.

The helper still validates the token signature, subject, and issuer. It does not enforce the token's validity window. Any route that trusts the helper for authentication will accept tokens whose exp claim is in the past or whose nbf claim is in the future.

Root Cause

The root cause is a misuse of the Keycloak TokenVerifier builder API. Developers assumed withChecks(...) would augment default validations. The API instead replaces the check list with only the supplied predicates, silently dropping expiration enforcement.

Attack Vector

An attacker who obtains any previously issued but expired Keycloak access token, or a token minted with a future nbf, can submit it to a Camel route protected by KeycloakSecurityHelper. The helper returns a valid verification result. The route processes the request as an authenticated caller, defeating token lifetime controls and any revocation that relies on short-lived tokens.

The vulnerability manifests entirely in the Camel Keycloak helper's builder call. See the Apache Camel CVE-2026-46455 Advisory for the corrected builder invocation that includes TokenVerifier.IS_ACTIVE.

Detection Methods for CVE-2026-46455

Indicators of Compromise

  • Successful authenticated requests to Camel routes carrying JWT access tokens whose exp claim precedes the request timestamp.
  • Authenticated activity from user accounts or service identities where the Keycloak session has already been terminated or revoked.
  • Repeated reuse of the same access token jti value beyond its stated exp window.

Detection Strategies

  • Inspect Camel application logs and correlate JWT exp and iat claims against request timestamps to flag accepted expired tokens.
  • Enable Keycloak event logging and compare TOKEN_EXCHANGE and REFRESH_TOKEN events with downstream Camel authentication events for tokens with no matching refresh.
  • Deploy a reverse proxy or API gateway in front of Camel that independently validates exp and nbf and alerts on discrepancies.

Monitoring Recommendations

  • Monitor for camel-keycloak dependency versions in the vulnerable ranges 4.18.0-4.18.2 and 4.19.0-4.20.x across build manifests and running artifacts.
  • Alert on any authentication event where the presented token's exp is earlier than the current server time.
  • Track anomalous token reuse patterns, including tokens presented after user logout or admin-initiated session revocation.

How to Mitigate CVE-2026-46455

Immediate Actions Required

  • Upgrade Apache Camel to 4.21.0 on the 4.19.x/4.20.x branch, or to 4.18.3 on the 4.18.x branch.
  • Inventory all applications and integration flows using the camel-keycloak component and prioritize patching for internet-facing routes.
  • Reduce Keycloak access-token lifetimes to limit the exposure window for any tokens accepted before patching.

Patch Information

Apache Camel releases 4.18.3 and 4.21.0 fix the issue by updating KeycloakSecurityHelper.parseAndVerifyAccessToken to include the TokenVerifier.IS_ACTIVE check alongside the subject and issuer checks. This aligns the helper with Keycloak's default check set and causes expired or not-yet-valid tokens to be rejected. Full details are available in the Apache Camel CVE-2026-46455 Advisory.

Workarounds

  • Validate the access token's exp and nbf claims explicitly in the Camel route before trusting the helper's verification result.
  • Configure Keycloak with short access-token lifetimes to minimize the practical window for replaying expired tokens.
  • Terminate TLS and validate token expiration at an upstream API gateway or resource server so expired tokens never reach the Camel route.
  • Restrict network access to Camel endpoints protected by KeycloakSecurityHelper until the upgrade is applied.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.