Cyber Resilience

CVE-2026-23552

CriticalPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0040 31.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23552 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Apache Camel. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).

Deeper analysis

CVE-2026-23552 is a Cross-Realm Token Acceptance Bypass vulnerability in the KeycloakSecurityPolicy component of Apache Camel Keycloak. The policy fails to validate the iss (issuer) claim in JWT tokens against the configured Keycloak realm, allowing tokens issued by one realm to be silently accepted by a policy set for a different realm. This breaks tenant isolation. The issue affects Apache Camel versions from 4.15.0 up to but not including 4.18.0, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-346 (Origin Validation Error).

Attackers can exploit this vulnerability remotely without privileges or user interaction by obtaining a valid JWT token from any Keycloak realm and submitting it to an Apache Camel endpoint protected by a KeycloakSecurityPolicy configured for a different realm. Successful exploitation bypasses intended authentication and authorization controls, granting unauthorized access to protected resources and potentially enabling high-impact confidentiality and integrity violations, such as data exfiltration or modification across tenant boundaries.

Apache Camel advisories recommend upgrading to version 4.18.0, which addresses the issue by enforcing iss claim validation. Detailed information is available in the official security advisory at https://camel.apache.org/security/CVE-2026-23552.html, a GitHub repository at https://github.com/oscerd/CVE-2026-23552, and an announcement on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/02/18/7.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy…

more

configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1550.001 Application Access Token Lateral Movement
Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems.
Why these techniques?

Remote auth bypass via malformed JWT acceptance directly enables exploitation of public-facing apps and use of alternate application access tokens.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25747Same product: Apache Camel
CVE-2026-33454Same product: Apache Camel
CVE-2026-40473Same product: Apache Camel
CVE-2025-27636Same product: Apache Camel
CVE-2026-40860Same product: Apache Camel
CVE-2026-47323Same product: Apache Camel
CVE-2026-33453Same product: Apache Camel
CVE-2026-40022Same product: Apache Camel
CVE-2026-40858Same product: Apache Camel
CVE-2026-40453Same product: Apache Camel

Affected Assets

apache
camel
4.15.0 — 4.18.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of flaws like the missing iss claim validation in Apache Camel KeycloakSecurityPolicy, directly mitigated by upgrading to version 4.18.0.

prevent

Mandates management and configuration of authorization servers like Keycloak realms to enforce issuer validation, preventing cross-realm token acceptance and tenant isolation bypass.

prevent

Ensures access enforcement mechanisms such as KeycloakSecurityPolicy properly validate JWT token claims including iss against the configured realm to block unauthorized access.

References