PT-2026-55908 · Apache · Apache Camel

Andrea Cosentino

·

Published

2026-07-06

·

Updated

2026-07-06

·

CVE-2026-53913

None

No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9
Description Improper authentication and a failure to fail securely in the Apache Camel Keycloak component allow unauthenticated access to protected routes. The KeycloakSecurityPolicy uses the KeycloakSecurityProcessor.beforeProcess() function to validate requests. By default, the requiredRoles and requiredPermissions variables are empty, causing the system to skip cryptographic verification of the bearer access token, including checks for signature, issuer, and expiry. While requests without a token are rejected, any non-null value in the Authorization: Bearer header—such as an arbitrary string or a forged, unsigned JWT—is accepted. This occurs because allowTokenFromHeader is set to true by default. If a protected route forwards to a producer capable of executing code, this flaw can lead to unauthenticated remote code execution.
Recommendations Update Apache Camel to version 4.21.0. Update Apache Camel to version 4.18.3 for those on the 4.18.x release stream. Configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy to ensure token verification is performed. Set allowTokenFromHeader to false if the token is not expected to come from the request header. Perform token verification at the framework layer before the policy is applied.

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-53913

Affected Products

Apache Camel