CVE-2026-46455

Apache Software Foundation · Apache Camel

The Apache Camel Keycloak component fails to properly validate token expiration and 'not-before' claims, allowing the acceptance of expired or invalid access tokens.

Executive summary

An authentication flaw in the Apache Camel Keycloak component allows the use of expired or invalid tokens, potentially granting unauthorized access to protected routes.

Vulnerability

The 'KeycloakSecurityHelper' fails to invoke the 'IS_ACTIVE' predicate during token verification, meaning the system validates the signature but ignores the token's expiration (exp) and 'not-before' (nbf) claims. This represents an authentication bypass scenario where unauthenticated attackers can reuse expired tokens to gain persistent unauthorized access.

Business impact

This vulnerability undermines the entire authentication mechanism for applications relying on the Keycloak integration. With a CVSS score of 9.8, the potential for unauthorized access, data compromise, and full system impact is extreme, as an attacker can maintain access long after a session should have expired.

Remediation

Immediate Action: Apply the vendor-provided security update by upgrading to version 4.21.0 or 4.18.3.

Proactive Monitoring: Audit application logs for patterns of session reuse and verify if incoming requests are being accepted with tokens that have exceeded their intended lifetime.

Compensating Controls: For systems that cannot be immediately patched, enforce strict token expiration checks within the application route logic and ensure that upstream API gateways perform comprehensive token validation.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Authentication bypass vulnerabilities of this nature are critical and require immediate remediation. Security teams must ensure that all instances of the affected Camel Keycloak component are updated to prevent the use of invalid or expired credentials.