Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-53913— Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted

AI Predicted 9.8 Difficulty: Easy
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-53913

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Source: NVD (National Vulnerability Database)
Vulnerability Description
Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and issuer for token introspection) is performed exclusively inside those role and permission checks. KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty - which is the documented 'Basic Setup' - so on a route configured that way the role and permission checks are skipped and the access token is therefore never verified. The token-presence check still rejects a missing token, but an invalid token is accepted: any non-null value in the Authorization: Bearer header - including an arbitrary string or a forged, unsigned JWT - passes the policy and the request reaches the protected route, with no signature, issuer or expiry check and no request to Keycloak. The token is read from the inbound request header because allowTokenFromHeader defaults to true. Because the normal reason to place a route behind this policy is that the route performs server-side work, the bypass results in unauthenticated access to that work; where the protected route forwards to a code-execution-capable producer, it can result in unauthenticated remote code execution. This defect is independent of CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a check inside the verification routine, but here the verification routine is not reached at all in the default configuration, so the defect remains. This issue affects Apache Camel: from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at the framework layer ahead of the policy.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
认证机制不恰当
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Apache Software FoundationApache Camel Keycloak 4.15.0 ~ 4.18.3 -

II. Public POCs for CVE-2026-53913

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-53913

登录查看更多情报信息。

Vendor Advisories for CVE-2026-53913 (1)

Same Patch Batch · Apache Software Foundation · 2026-07-06 · 38 CVEs total

CVE-2026-46457Apache Camel: Camel-NATS: Inbound NATS message headers are mapped into the Exchange withou
CVE-2026-48205Apache Camel DNS: The dns.* and term Exchange header constants used non-Camel-prefixed nam
CVE-2026-48204Apache Camel: Camel-MongoDB-GridFS: The gridfs.* control headers used non-Camel-prefixed n
CVE-2026-48203Apache Camel: Camel-Solr: The SolrParam. and SolrField. Exchange header prefixes used non-
CVE-2026-46726Apache Camel Vertx Websocket: The inbound consumer maps externally-supplied WebSocket quer
CVE-2026-46592Apache Camel: Camel-CXF: The SOAP operation-selection headers used non-Camel-prefixed name
CVE-2026-46591Apache Camel: Camel-Neo4j: JSON property names from the CamelNeo4jMatchProperties header a
CVE-2026-46590Apache Camel: Camel-PQC: The HashiCorp Vault and AWS Secrets Manager key-lifecycle manager
CVE-2026-46585Apache Camel Lucene: The query control headers used non-Camel-prefixed names (QUERY, RETUR
CVE-2026-46584Apache Camel Mail: The mail producer applied attacker-supplied message headers as JavaMail
CVE-2026-48206Apache Camel JIRA: A set of non-Camel-prefixed Exchange header constants bypass the HTTP h
CVE-2026-46456Apache Camel: Camel-AWS2-SQS: Inbound message attributes are mapped into the Exchange with
CVE-2026-46455Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the
CVE-2026-46454Apache Camel: Camel-Cometd: Inbound Bayeux message headers are mapped into the Exchange wi
CVE-2026-46453Apache Camel: Camel-Elasticsearch-Rest-Client: Exchange header constants without the Camel
CVE-2026-43865Apache Camel: Camel-Hazelcast: Unsafe Java deserialization in default-configured managed H
CVE-2026-42527Apache Camel: Permissive default ObjectInputFilter pattern admits java.net.** and enables
CVE-2026-40859Apache Camel: Camel-Vertx-Http: Unsafe Java deserialization of HTTP response bodies via a
CVE-2026-40047Apache Camel: Camel-Docling: Insufficient validation of custom CLI arguments enables argum
CVE-2026-56140Apache Camel AWS2 SNS: An inbound Camel-namespace filter was added to Sns2HeaderFilterStra

Showing top 20 of 38 CVEs. View all on vendor page → →

IV. Related Vulnerabilities

V. Comments for CVE-2026-53913

No comments yet


Leave a comment