CVE-2026-46455
Apache Software Foundation · Apache Camel
The Apache Camel Keycloak component fails to properly validate token expiration and 'not-before' claims, allowing the acceptance of expired or invalid access tokens.
Executive summary
An authentication flaw in the Apache Camel Keycloak component allows the use of expired or invalid tokens, potentially granting unauthorized access to protected routes.
Vulnerability
The 'KeycloakSecurityHelper' fails to invoke the 'IS_ACTIVE' predicate during token verification, meaning the system validates the signature but ignores the token's expiration (exp) and 'not-before' (nbf) claims. This represents an authentication bypass scenario where unauthenticated attackers can reuse expired tokens to gain persistent unauthorized access.
Business impact
This vulnerability undermines the entire authentication mechanism for applications relying on the Keycloak integration. With a CVSS score of 9.8, the potential for unauthorized access, data compromise, and full system impact is extreme, as an attacker can maintain access long after a session should have expired.
Remediation
Immediate Action: Apply the vendor-provided security update by upgrading to version 4.21.0 or 4.18.3.
Proactive Monitoring: Audit application logs for patterns of session reuse and verify if incoming requests are being accepted with tokens that have exceeded their intended lifetime.
Compensating Controls: For systems that cannot be immediately patched, enforce strict token expiration checks within the application route logic and ensure that upstream API gateways perform comprehensive token validation.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Authentication bypass vulnerabilities of this nature are critical and require immediate remediation. Security teams must ensure that all instances of the affected Camel Keycloak component are updated to prevent the use of invalid or expired credentials.