CVE-2026-23552

Awaiting Analysis
Published: 23 Feb 2026, 08:45
Last modified:23 Feb 2026, 15:40

Vulnerability Summary

Overall Risk (default)
high
70/100
CVSS Score
9.1 CRITICAL
v3.1 (cve.org)
EPSS Score
<0.01% LOW
0% probability
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

23 Feb 2026, 08:45
Published
Vulnerability first disclosed
23 Feb 2026, 15:40
Last Modified
Vulnerability information updated

Description

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue.

CVSS Metrics

  • v3.1CRITICALScore: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Trends

Current EPSS score: 0.01% Percentile: 1%

Techniques & Countermeasures

  • CWE-346Origin Validation Error

    The product does not properly verify that the source of data or communication is valid.

Affected Systems

  • apache software foundationapache camel

    ≥ 4.15.0, < 4.18.0

References (3)