A critical authentication bypass in the Apache Camel Keycloak component allows attackers to use tokens from unauthorized realms to access protected resources, compromising multi-tenant security.

The KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. This allows an authenticated user from one Keycloak realm to present a valid token to a policy configured for a different realm, which is then incorrectly accepted.

This flaw completely breaks tenant isolation in multi-tenant environments. An attacker with access to any realm on a Keycloak server can gain unauthorized access to data and services in every other realm managed by the same Apache Camel policy. The CVSS score is 9.1.

Immediate Action: Upgrade Apache Camel to version 4.18.0 or later to ensure that JWT issuer claims are properly validated against the configured realm.

Proactive Monitoring: Audit application logs for successful logins where the token's issuer does not match the expected tenant realm.

Compensating Controls: Implement manual issuer validation in application logic or use a gateway/proxy to verify the iss claim before traffic reaches the Camel component.

Public Exploit Available: false

The failure to validate token issuers is a severe security gap. Organizations using Apache Camel with Keycloak must move to version 4.18.0 immediately to restore the security boundaries between their tenants.