Zero Day MonitorZDM
DashboardVulnerabilitiesTrendingZero-DaysNewsAbout
Login
ImpressumPrivacy Policy
Zero Day Monitor © 2026
3110 articles · 172043 vulns · 37/41 feeds (7d)
← Back to list
9.8
CVE-2026-53913PATCHED
apache software foundation · apache camel keycloak

Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted

Description

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and issuer for token introspection) is performed exclusively inside those role and permission checks. KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty - which is the documented 'Basic Setup' - so on a route configured that way the role and permission checks are skipped and the access token is therefore never verified. The token-presence check still rejects a missing token, but an invalid token is accepted: any non-null value in the Authorization: Bearer header - including an arbitrary string or a forged, unsigned JWT - passes the policy and the request reaches the protected route, with no signature, issuer or expiry check and no request to Keycloak. The token is read from the inbound request header because allowTokenFromHeader defaults to true. Because the normal reason to place a route behind this policy is that the route performs server-side work, the bypass results in unauthenticated access to that work; where the protected route forwards to a code-execution-capable producer, it can result in unauthenticated remote code execution. This defect is independent of CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a check inside the verification routine, but here the verification routine is not reached at all in the default configuration, so the defect remains. This issue affects Apache Camel: from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at the framework layer ahead of the policy.

Affected Products

VendorProductVersions
apache software foundationapache camel keycloak4.15.0, 4.19.0

Also Affects

Downstream vendors/products affected by this vulnerability

VendorProductSourceConfidence
apachecamelcert_advisory90%

References

  • https://camel.apache.org/security/CVE-2026-53913.html(vendor-advisory)

Related News (3 articles)

Tier B
BSI Advisories1d ago
[NEU] [hoch] Apache Camel: Mehrere Schwachstellen
→ No new info (linked only)
Tier C
VulDB2d ago
CVE-2026-53913 | Apache Camel up to 4.18.2/4.20.x Camel-Keycloak permission
→ No new info (linked only)
Tier C
oss-security2d ago
CVE-2026-53913: Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a
→ No new info (linked only)
CVSS 3.19.8 CRITICAL
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA KEV❌ No
Actively exploited❌ No
Patch available
4.18.34.21.0
CWECWE-287, CWE-306, CWE-636
PublishedJul 6, 2026
Trending Score44
Source articles3
Independent3
Info Completeness0/14
Missing: cve_id, title, description, vendor, product, versions, cvss, epss, cwe, kev, exploit, patch, iocs, mitre_attack

Community Vote

0
Login to vote
0 upvotes0 downvotes
No votes yet

Related CVEs (5)

CRITICALCVE-2026-33264EXP
Apache Airflow: DAG author RCE on webserver via unrestricted import_string() in BaseSerialization.deserialize()
Trending: 76
MEDIUMCVE-2026-48892EXP
Apache Airflow: Config API leaks per-key secrets backend kwargs - masker bypass on synthetic options
Trending: 55
MEDIUMCVE-2026-48828EXP
Apache Airflow: Bulk JSON Variables bypass should_hide_value_for_key - redact() called without the key
Trending: 55
MEDIUMCVE-2026-48891EXP
Apache Airflow: /ui/dependencies scheduling graph leaks unreadable Dag identifiers via trigger/sensor dep.source/dep.target
Trending: 52
NONECVE-2026-49487EXP
Apache Airflow: Task-instance API exposes secrets in deferred trigger kwargs
Trending: 52

Pin to Dashboard

Verification

State: unverified
Confidence: 0%

Vulnerability Timeline

CVE Published
Jul 6, 2026
Discovered by ZDM
Jul 6, 2026
Patch Available
Jul 7, 2026