CVE-2026-53913
Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted
Description
Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and issuer for token introspection) is performed exclusively inside those role and permission checks. KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty - which is the documented 'Basic Setup' - so on a route configured that way the role and permission checks are skipped and the access token is therefore never verified. The token-presence check still rejects a missing token, but an invalid token is accepted: any non-null value in the Authorization: Bearer header - including an arbitrary string or a forged, unsigned JWT - passes the policy and the request reaches the protected route, with no signature, issuer or expiry check and no request to Keycloak. The token is read from the inbound request header because allowTokenFromHeader defaults to true. Because the normal reason to place a route behind this policy is that the route performs server-side work, the bypass results in unauthenticated access to that work; where the protected route forwards to a code-execution-capable producer, it can result in unauthenticated remote code execution. This defect is independent of CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a check inside the verification routine, but here the verification routine is not reached at all in the default configuration, so the defect remains. This issue affects Apache Camel: from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at the framework layer ahead of the policy.
INFO
Published Date :
July 6, 2026, 9:16 a.m.
Last Modified :
July 6, 2026, 10:10 a.m.
Remotely Exploit :
No
Source :
[email protected]
Affected Products
The following products are affected by CVE-2026-53913
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
Solution
- Upgrade to Apache Camel version 4.21.0 or later.
- Upgrade to Apache Camel version 4.18.3 if using 4.18.x.
- Configure non-empty requiredRoles or requiredPermissions.
- Set allowTokenFromHeader to false if applicable.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-53913.
| URL | Resource |
|---|---|
| https://camel.apache.org/security/CVE-2026-53913.html |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-53913 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-53913
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-53913 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-53913 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Translated by [email protected]
Jul. 06, 2026
Action Type Old Value New Value Added Translation Title: Keycloak de Apache Camel, Description: Vulnerabilidad por autenticación incorrecta, falta de autenticación para funciones críticas y fallo de seguridad (Failing Open) en el componente Keycloak de Apache Camel. La política KeycloakSecurityPolicy de camel-keycloak protege una ruta ejecutando KeycloakSecurityProcessor.beforeProcess(), que realiza tres comprobaciones en secuencia: rechaza una solicitud que no incluya un token de acceso; a continuación, solo si requiredRoles no está vacío, valida los roles; y, solo si requiredPermissions no está vacío, valida los permisos. La verificación criptográfica propiamente dicha del token de acceso de portador (firma, emisor y fecha de caducidad para un JWT local, o estado activo y emisor para la introspección del token) se lleva a cabo exclusivamente dentro de esas comprobaciones de roles y permisos. KeycloakSecurityPolicy establece por defecto requiredRoles y requiredPermissions como vacíos —lo que constituye la configuración básica documentada—, por lo que, en una ruta configurada de ese modo, se omiten las comprobaciones de roles y permisos y, por lo tanto, el token de acceso nunca se verifica. La comprobación de presencia del token sigue rechazando un token ausente, pero se acepta un token no válido: cualquier valor distinto de nulo en el encabezado Authorization: Bearer —incluida una cadena arbitraria o un JWT falsificado y sin firmar— supera la política y la solicitud llega a la ruta protegida, sin que se comprueben la firma, el emisor o la fecha de caducidad, y sin que se envíe ninguna solicitud a Keycloak. El token se lee del encabezado de la solicitud entrante porque allowTokenFromHeader tiene por defecto el valor «true». Dado que la razón habitual para situar una ruta detrás de esta política es que dicha ruta realice tareas del lado del servidor, esta omisión da lugar a un acceso no autenticado a dichas tareas; cuando la ruta protegida reenvía a un productor capaz de ejecutar código, puede dar lugar a la ejecución remota de código sin autenticación. Este defecto es independiente de CVE-2026-23552: ese problema se refería a la reclamación del emisor y se solucionó añadiendo una comprobación dentro de la rutina de verificación, pero en este caso no se llega en absoluto a la rutina de verificación en la configuración por defecto, por lo que el defecto persiste. Este problema afecta a Apache Camel: desde la versión 4.15.0 hasta la 4.18.3, y desde la 4.19.0 hasta la 4.21.0. Se recomienda a los usuarios que actualicen a la versión 4.21.0, que corrige el problema. Si los usuarios utilizan la rama de versiones 4.18.x, se les sugiere que actualicen a la 4.18.3. En el caso de las implementaciones que no puedan actualizarse de inmediato, configure un requiredRoles o requiredPermissions no vacío en cada KeycloakSecurityPolicy para que se ejecute la ruta de verificación del token, establezca allowTokenFromHeader en false cuando no se espere que el token provenga del encabezado de la solicitud, o realice la verificación del token en la capa del marco de trabajo antes de la política. -
New CVE Received by [email protected]
Jul. 06, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'Apache Software Foundation', 'product': 'Apache Camel Keycloak', 'versions': [{'status': 'affected', 'version': '4.15.0', 'lessThan': '4.18.3', 'versionType': 'semver'}, {'status': 'affected', 'version': '4.19.0', 'lessThan': '4.21.0', 'versionType': 'semver'}], 'packageName': 'org.apache.camel:camel-keycloak', 'collectionURL': 'https://repo.maven.apache.org/maven2', 'defaultStatus': 'unaffected'}] Added Description Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and issuer for token introspection) is performed exclusively inside those role and permission checks. KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty - which is the documented 'Basic Setup' - so on a route configured that way the role and permission checks are skipped and the access token is therefore never verified. The token-presence check still rejects a missing token, but an invalid token is accepted: any non-null value in the Authorization: Bearer header - including an arbitrary string or a forged, unsigned JWT - passes the policy and the request reaches the protected route, with no signature, issuer or expiry check and no request to Keycloak. The token is read from the inbound request header because allowTokenFromHeader defaults to true. Because the normal reason to place a route behind this policy is that the route performs server-side work, the bypass results in unauthenticated access to that work; where the protected route forwards to a code-execution-capable producer, it can result in unauthenticated remote code execution. This defect is independent of CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a check inside the verification routine, but here the verification routine is not reached at all in the default configuration, so the defect remains. This issue affects Apache Camel: from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at the framework layer ahead of the policy. Added CWE CWE-287 Added CWE CWE-306 Added CWE CWE-636 Added Reference https://camel.apache.org/security/CVE-2026-53913.html