PT-2026-55908 · Apache · Apache Camel
Andrea Cosentino
·
Published
2026-07-06
·
Updated
2026-07-06
·
CVE-2026-53913
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
Name of the Vulnerable Software and Affected Versions
Apache Camel versions 4.15.0 through 4.18.2
Apache Camel versions 4.19.0 through 4.20.9
Description
Improper authentication and a failure to fail securely in the Apache Camel Keycloak component allow unauthenticated access to protected routes. The
KeycloakSecurityPolicy uses the KeycloakSecurityProcessor.beforeProcess() function to validate requests. By default, the requiredRoles and requiredPermissions variables are empty, causing the system to skip cryptographic verification of the bearer access token, including checks for signature, issuer, and expiry. While requests without a token are rejected, any non-null value in the Authorization: Bearer header—such as an arbitrary string or a forged, unsigned JWT—is accepted. This occurs because allowTokenFromHeader is set to true by default. If a protected route forwards to a producer capable of executing code, this flaw can lead to unauthenticated remote code execution.Recommendations
Update Apache Camel to version 4.21.0.
Update Apache Camel to version 4.18.3 for those on the 4.18.x release stream.
Configure a non-empty
requiredRoles or requiredPermissions on every KeycloakSecurityPolicy to ensure token verification is performed.
Set allowTokenFromHeader to false if the token is not expected to come from the request header.
Perform token verification at the framework layer before the policy is applied.Missing Authentication
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Camel