CVE-2026-23552

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.15.0 through 4.17.9

Description The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. This allows a token issued by one Keycloak realm to be silently accepted by a policy configured for a different realm, which breaks tenant isolation. The iss claim identifies the issuer of the JWT.

Recommendations Upgrade to version 4.18.0 to resolve this issue.