CVE-2026-23552
Published: 23 February 2026
Summary
CVE-2026-23552 is a critical-severity Origin Validation Error (CWE-346) vulnerability in Apache Camel. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-13 (Identity Providers and Authorization Servers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws like the missing iss claim validation in Apache Camel KeycloakSecurityPolicy, directly mitigated by upgrading to version 4.18.0.
Mandates management and configuration of authorization servers like Keycloak realms to enforce issuer validation, preventing cross-realm token acceptance and tenant isolation bypass.
Ensures access enforcement mechanisms such as KeycloakSecurityPolicy properly validate JWT token claims including iss against the configured realm to block unauthorized access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote auth bypass via malformed JWT acceptance directly enables exploitation of public-facing apps and use of alternate application access tokens.
NVD Description
Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy…
more
configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue.
Deeper analysisAI
CVE-2026-23552 is a Cross-Realm Token Acceptance Bypass vulnerability in the KeycloakSecurityPolicy component of Apache Camel Keycloak. The policy fails to validate the iss (issuer) claim in JWT tokens against the configured Keycloak realm, allowing tokens issued by one realm to be silently accepted by a policy set for a different realm. This breaks tenant isolation. The issue affects Apache Camel versions from 4.15.0 up to but not including 4.18.0, with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-346 (Origin Validation Error).
Attackers can exploit this vulnerability remotely without privileges or user interaction by obtaining a valid JWT token from any Keycloak realm and submitting it to an Apache Camel endpoint protected by a KeycloakSecurityPolicy configured for a different realm. Successful exploitation bypasses intended authentication and authorization controls, granting unauthorized access to protected resources and potentially enabling high-impact confidentiality and integrity violations, such as data exfiltration or modification across tenant boundaries.
Apache Camel advisories recommend upgrading to version 4.18.0, which addresses the issue by enforcing iss claim validation. Detailed information is available in the official security advisory at https://camel.apache.org/security/CVE-2026-23552.html, a GitHub repository at https://github.com/oscerd/CVE-2026-23552, and an announcement on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/02/18/7.
Details
- CWE(s)