GHSA-qvc3-6q9x-95pj
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Network-reachable endpoint, default config is vulnerable (AC:L), no credential needed to send a non-null Bearer string (PR:N), full access to protected route yields high C/I/A.
Primary rating from Vendor (CNA).
CVSS VectorVendor
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description PRE-NVD
Articles & Coverage 5
AnalysisAI
Authentication bypass in Apache Camel's camel-keycloak component (versions 4.15.0-4.18.2 and 4.19.0-4.20.x) allows any caller presenting a non-null Authorization: Bearer header value - including an arbitrary string or a forged, unsigned JWT - to bypass Keycloak token verification entirely and access routes protected by KeycloakSecurityPolicy. The cryptographic token checks (signature, issuer, expiry) are embedded exclusively inside role and permission validation routines that are never invoked when requiredRoles and requiredPermissions are empty, which is the documented default 'Basic Setup.' Where the protected route connects to a code-execution-capable Camel producer, this authentication bypass can escalate to unauthenticated remote code execution; no public exploit has been identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) the target application uses org.apache.camel:camel-keycloak at an affected version (4.15.0-4.18.2 or 4.19.0-4.20.x); (2) at least one Camel route is guarded by KeycloakSecurityPolicy; and (3) the policy has requiredRoles and requiredPermissions both left at their default empty values - the condition explicitly documented as the Basic Setup in official Apache Camel Keycloak documentation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score was provided with this advisory, so risk must be assessed independently. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a Camel application sends a standard HTTP request to any route protected by KeycloakSecurityPolicy with default empty requiredRoles and requiredPermissions, including an Authorization: Bearer <arbitrary_string> header - no valid Keycloak credential or JWT knowledge is required. The token-presence check passes (header is non-null), the role and permission checks are skipped (both lists are empty), and cryptographic verification is never invoked; the request reaches the protected route with no interaction with Keycloak. … |
| Remediation | Upgrade to Apache Camel 4.18.3 if on the 4.18.x LTS stream, or to 4.21.0 for the latest release stream; both were released in early July 2026 and confirmed by the Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-53913.html to contain the fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all systems running Apache Camel 4.15.0-4.18.2 or 4.19.0-4.20.x to identify camel-keycloak deployments and routes with code-execution capability. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Bypass/Injection vulnerability in Apache Camel components under particular conditions.10.0 through <= 4.10.1, from 4.8.0
The XSLT component in Apache Camel before 2.11.4 and 2.12.x before 2.12.3 allows remote attackers to read arbitrary file
Apache Camel's Jackson and JacksonXML unmarshalling operation are vulnerable to Remote Code Execution attacks. Rated cri
The XSLT component in Apache Camel 2.11.x before 2.11.4, 2.12.x before 2.12.3, and possibly earlier versions allows remo
Cross-realm token acceptance bypass in Apache Camel Keycloak security policy. The KeycloakSecurityPolicy fails to proper
Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component. The Camel-LevelDB DefaultLevelDBSeria
The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInp
Apache Camel's File is vulnerable to directory traversal. Rated high severity (CVSS 7.5), this vulnerability is remotely
The camel-castor component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-se
The camel-xstream component in Apache Camel before 2.15.5 and 2.16.x before 2.16.1 allow remote attackers to execute arb
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-s
Apache Camel before 2.9.7, 2.10.0 before 2.10.7, 2.11.0 before 2.11.2, and 2.12.0 allows remote attackers to execute arb
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41847