CVE-2026-46455 Overview
CVE-2026-46455 is an Insufficient Session Expiration vulnerability [CWE-613] in the Apache Camel Keycloak component. The KeycloakSecurityHelper.parseAndVerifyAccessToken method builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists and realm-URL (issuer) checks. The built-in IS_ACTIVE predicate that validates the token's exp (expiration) and nbf (not-before) claims is never applied. As a result, routes relying on this helper accept access tokens that are expired or not yet valid. The issue affects Apache Camel from 4.18.0 before 4.18.3, and from 4.19.0 before 4.21.0.
Critical Impact
Attackers can present expired or not-yet-valid Keycloak access tokens to Camel routes and gain authenticated access, effectively bypassing session lifetime enforcement.
Affected Products
- Apache Camel 4.18.0 through 4.18.2
- Apache Camel 4.19.0 through 4.20.x
- Deployments using the camel-keycloak component KeycloakSecurityHelper
Discovery Timeline
- 2026-07-06 - CVE-2026-46455 published to NVD
- 2026-07-08 - Last updated in NVD database
Technical Details for CVE-2026-46455
Vulnerability Analysis
The camel-keycloak component provides KeycloakSecurityHelper.parseAndVerifyAccessToken to authenticate inbound requests carrying Keycloak-issued access tokens. The helper constructs a TokenVerifier and calls withChecks(...) passing only the subject-exists check and the realm-URL issuer check.
In Keycloak's TokenVerifier API, withChecks(...) appends predicates to an initially empty check list. The upstream default checks are installed only when withDefaultChecks() is called. Because the helper never invokes withDefaultChecks(), the built-in IS_ACTIVE predicate is omitted from verification.
The helper still validates the token signature, subject, and issuer. It does not enforce the token's validity window. Any route that trusts the helper for authentication will accept tokens whose exp claim is in the past or whose nbf claim is in the future.
Root Cause
The root cause is a misuse of the Keycloak TokenVerifier builder API. Developers assumed withChecks(...) would augment default validations. The API instead replaces the check list with only the supplied predicates, silently dropping expiration enforcement.
Attack Vector
An attacker who obtains any previously issued but expired Keycloak access token, or a token minted with a future nbf, can submit it to a Camel route protected by KeycloakSecurityHelper. The helper returns a valid verification result. The route processes the request as an authenticated caller, defeating token lifetime controls and any revocation that relies on short-lived tokens.
The vulnerability manifests entirely in the Camel Keycloak helper's builder call. See the Apache Camel CVE-2026-46455 Advisory for the corrected builder invocation that includes TokenVerifier.IS_ACTIVE.
Detection Methods for CVE-2026-46455
Indicators of Compromise
- Successful authenticated requests to Camel routes carrying JWT access tokens whose exp claim precedes the request timestamp.
- Authenticated activity from user accounts or service identities where the Keycloak session has already been terminated or revoked.
- Repeated reuse of the same access token jti value beyond its stated exp window.
Detection Strategies
- Inspect Camel application logs and correlate JWT exp and iat claims against request timestamps to flag accepted expired tokens.
- Enable Keycloak event logging and compare TOKEN_EXCHANGE and REFRESH_TOKEN events with downstream Camel authentication events for tokens with no matching refresh.
- Deploy a reverse proxy or API gateway in front of Camel that independently validates exp and nbf and alerts on discrepancies.
Monitoring Recommendations
- Monitor for camel-keycloak dependency versions in the vulnerable ranges 4.18.0-4.18.2 and 4.19.0-4.20.x across build manifests and running artifacts.
- Alert on any authentication event where the presented token's exp is earlier than the current server time.
- Track anomalous token reuse patterns, including tokens presented after user logout or admin-initiated session revocation.
How to Mitigate CVE-2026-46455
Immediate Actions Required
- Upgrade Apache Camel to 4.21.0 on the 4.19.x/4.20.x branch, or to 4.18.3 on the 4.18.x branch.
- Inventory all applications and integration flows using the camel-keycloak component and prioritize patching for internet-facing routes.
- Reduce Keycloak access-token lifetimes to limit the exposure window for any tokens accepted before patching.
Patch Information
Apache Camel releases 4.18.3 and 4.21.0 fix the issue by updating KeycloakSecurityHelper.parseAndVerifyAccessToken to include the TokenVerifier.IS_ACTIVE check alongside the subject and issuer checks. This aligns the helper with Keycloak's default check set and causes expired or not-yet-valid tokens to be rejected. Full details are available in the Apache Camel CVE-2026-46455 Advisory.
Workarounds
- Validate the access token's exp and nbf claims explicitly in the Camel route before trusting the helper's verification result.
- Configure Keycloak with short access-token lifetimes to minimize the practical window for replaying expired tokens.
- Terminate TLS and validate token expiration at an upstream API gateway or resource server so expired tokens never reach the Camel route.
- Restrict network access to Camel endpoints protected by KeycloakSecurityHelper until the upgrade is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

