CVE-2026-53913
Received Received - Intake

Improper Authentication in Apache Camel Keycloak Component

Vulnerability report for CVE-2026-53913, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: Apache Software Foundation

Description

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely ('Failing Open') vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and issuer for token introspection) is performed exclusively inside those role and permission checks. KeycloakSecurityPolicy defaults requiredRoles and requiredPermissions to empty - which is the documented 'Basic Setup' - so on a route configured that way the role and permission checks are skipped and the access token is therefore never verified. The token-presence check still rejects a missing token, but an invalid token is accepted: any non-null value in the Authorization: Bearer header - including an arbitrary string or a forged, unsigned JWT - passes the policy and the request reaches the protected route, with no signature, issuer or expiry check and no request to Keycloak. The token is read from the inbound request header because allowTokenFromHeader defaults to true. Because the normal reason to place a route behind this policy is that the route performs server-side work, the bypass results in unauthenticated access to that work; where the protected route forwards to a code-execution-capable producer, it can result in unauthenticated remote code execution. This defect is independent of CVE-2026-23552: that issue concerned the issuer claim and was fixed by adding a check inside the verification routine, but here the verification routine is not reached at all in the default configuration, so the defect remains. This issue affects Apache Camel: from 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0. Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at the framework layer ahead of the policy.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-06
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
apache camel 4.15.0
apache camel 4.18.3
apache camel 4.19.0
apache camel 4.21.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-636 When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, such as selecting the weakest encryption algorithm or using the most permissive access control restrictions.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-53913 is a high-severity security vulnerability in Apache Camel's camel-keycloak component involving an authentication bypass.

The KeycloakSecurityPolicy normally verifies bearer access tokens by checking their signature, issuer, and expiry during role or permission validation.

However, when the policy is configured with empty requiredRoles and requiredPermissions (the default 'Basic Setup'), the token verification process is skipped entirely.

This means any non-null bearer token, including forged or unsigned tokens, can bypass authentication and access protected routes.

Because the token presence check only rejects missing tokens but not invalid ones, the system 'fails open' and allows unauthenticated access.

If the protected route forwards to a code-execution-capable producer, this can lead to unauthenticated remote code execution.

Impact Analysis

This vulnerability can allow attackers to bypass authentication and gain unauthorized access to protected routes in Apache Camel applications.

If the protected route interacts with components capable of executing code, attackers could achieve unauthenticated remote code execution.

This unauthorized access can compromise the confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability involves improper authentication in the Apache Camel Keycloak component where bearer tokens are not properly verified if required roles or permissions are not set. Detection involves checking if routes protected by KeycloakSecurityPolicy have empty requiredRoles and requiredPermissions configurations, which causes token verification to be skipped.

To detect this on your system, you should audit your Apache Camel route configurations for KeycloakSecurityPolicy usage and verify if requiredRoles or requiredPermissions are non-empty. Additionally, monitoring network traffic for Authorization: Bearer headers carrying arbitrary or unsigned tokens that are accepted can indicate exploitation attempts.

Specific commands depend on your environment, but examples include:

  • Review Apache Camel route configurations for KeycloakSecurityPolicy settings, e.g., grep or search for 'KeycloakSecurityPolicy' and check requiredRoles and requiredPermissions values.
  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests with Authorization headers: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'Authorization: Bearer'
  • Check application logs for requests accepted with invalid or forged bearer tokens.
Mitigation Strategies

Immediate mitigation steps include upgrading Apache Camel to a fixed version or applying configuration changes to enforce proper token verification.

  • Upgrade Apache Camel to version 4.21.0 or later, or if using the 4.18.x stream, upgrade to 4.18.3.
  • Configure every KeycloakSecurityPolicy with non-empty requiredRoles or requiredPermissions to ensure the token verification path is exercised.
  • Set allowTokenFromHeader to false if your deployment does not expect tokens from the request header.
  • Perform token verification at the framework layer ahead of the KeycloakSecurityPolicy.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53913. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart