CVE-2026-23552

CRITICAL

Apache Camel 4.15.0-4.17.0 - Auth Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-23552. PoCs published by oscerd.

AI-analyzed exploit summary This repository contains a functional exploit PoC demonstrating CVE-2026-23552, an authentication bypass vulnerability in Apache Camel's Keycloak integration. The exploit shows how a JWT token from one Keycloak realm can be accepted by a policy configured for a different realm due to missing issuer validation.

Description

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation. This issue affects Apache Camel: from 4.15.0 before 4.18.0. Users are recommended to upgrade to version 4.18.0, which fixes the issue.

Exploits (1)

github WORKING POC

by oscerd · javapoc

https://github.com/oscerd/CVE-2026-23552

View Code ZIP pw:eip

This repository contains a functional exploit PoC demonstrating CVE-2026-23552, an authentication bypass vulnerability in Apache Camel's Keycloak integration. The exploit shows how a JWT token from one Keycloak realm can be accepted by a policy configured for a different realm due to missing issuer validation.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Apache Camel Keycloak integration (versions 4.15.0, 4.16.0, 4.17.0)

Auth required

Prerequisites: Java 17+ · Maven 3.9+ · Camel JBang CLI · Docker/Podman for Keycloak

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 17, 2026 Full analysis →

References (3)

Core 3

Core References

Mailing List

http://www.openwall.com/lists/oss-security/2026/02/18/7

Various Sources vendor-advisory

https://camel.apache.org/security/CVE-2026-23552.html

Various Sources exploit

https://github.com/oscerd/CVE-2026-23552

View Writeup ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0040

EPSS Percentile 31.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-346

Status published

Products (2)

apache/camel 4.15.0 - 4.18.0

org.apache.camel/camel-keycloak 4.15.0 - 4.18.0Maven

Published Feb 23, 2026

Tracked Since Feb 23, 2026