Skip to main content

Apache Camel EUVDEUVD-2026-41829

| CVE-2026-46455 CRITICAL
Insufficient Session Expiration (CWE-613)
2026-07-06 apache GHSA-mqwc-6qwc-v9gq
9.8
CVSS 3.1 · Vendor: apache
Share

Severity by source

Vendor (apache) PRIMARY
9.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.4 HIGH

AC:H because the attacker must first obtain a genuine expired/not-yet-valid token; PR:N since no live credentials are checked; A:N as the impact is unauthorized access, not availability loss.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (apache).

CVSS VectorVendor: apache

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 06, 2026 - 20:59 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 06, 2026 - 20:59 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 06, 2026 - 20:22 vuln.today
cvss_changed
CVSS changed
Jul 06, 2026 - 20:22 NVD
9.8 (CRITICAL)
Patch available
Jul 06, 2026 - 10:01 EUVD
Analysis Generated
Jul 06, 2026 - 09:32 vuln.today

DescriptionCVE.org

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.

The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token's exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token's validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.

Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak's default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token's exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.

AnalysisAI

Authentication token-lifetime bypass in the Apache Camel Keycloak component (camel-keycloak) affects versions 4.18.0-4.18.2 and 4.19.0-4.20.x, allowing expired or not-yet-valid Keycloak access tokens to be accepted as valid. The KeycloakSecurityHelper builds its TokenVerifier via withChecks() with only subject and issuer checks, so Keycloak's IS_ACTIVE exp/nbf validation is never installed, and any route relying on this helper will trust tokens outside their intended lifetime. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain legitimately-issued Keycloak access token
Delivery
Wait past token exp or use not-yet-valid token
Exploit
Replay token to camel-keycloak protected route
Execution
Missing IS_ACTIVE check accepts stale token
Impact
Gain unauthorized access to route resources

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target deploy a Camel route using the camel-keycloak component's KeycloakSecurityHelper.parseAndVerifyAccessToken to authenticate inbound requests on an affected version (4.18.0-4.18.2 or 4.19.0-4.20.x). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) overstates real-world urgency for this class of flaw. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has captured or otherwise obtained a legitimate Keycloak access token - for example from application logs, a browser cache, an intercepted request, or an old session - replays that token against a Camel route protected by KeycloakSecurityHelper after the token's expiry time has passed. Because the IS_ACTIVE check is missing, the route accepts the stale token and grants access as if it were still valid. …
Remediation Vendor-released patch: upgrade to Apache Camel 4.21.0; deployments on the 4.18.x stream should upgrade to 4.18.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all systems running Apache Camel versions 4.18.0-4.18.2 or 4.19.0-4.20.x using Keycloak authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33453 CRITICAL POC
10.0 Apr 27

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap

CVE-2026-40858 HIGH POC
8.8 Apr 27

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote In

CVE-2026-47323 CRITICAL
9.8 May 19

Remote code execution in Apache Camel 3.18.0-4.14.5 and 4.15.0-4.18.1 stems from CXF and Knative HeaderFilterStrategy im

CVE-2026-33454 CRITICAL
9.4 Apr 27

The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the

CVE-2026-46590 HIGH
8.8 Jul 06

Remote code execution via unsafe Java deserialization affects the camel-pqc component of Apache Camel 4.18.0-4.18.2 and

CVE-2026-27172 HIGH
8.8 Apr 27

The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner C

CVE-2026-46591 HIGH
8.2 Jul 06

Cypher injection in Apache Camel's camel-neo4j producer allows attackers who control JSON key names in the CamelNeo4jMat

CVE-2026-43865 HIGH
8.1 Jul 06

Remote code execution in the Apache Camel camel-hazelcast component allows an attacker who can join or reach the Hazelca

CVE-2026-40859 HIGH
8.1 Jul 06

Remote code execution in Apache Camel's camel-vertx-http component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0) arises when a p

CVE-2026-42527 HIGH
8.1 Jul 06

Blind out-of-band data exfiltration in Apache Camel 4.14.0-4.20.x arises because the default ObjectInputFilter pattern b

CVE-2026-46457 HIGH
7.5 Jul 06

Header injection in the Apache Camel camel-nats component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) allows any NATS c

CVE-2026-46592 HIGH
7.5 Jul 06

Confused-deputy operation redirection in the Apache Camel camel-cxf SOAP component (versions 4.0.0 before 4.14.8, 4.15.0

Share

EUVD-2026-41829 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy