PatchSiren cyber security CVE debrief
CVE-2026-46455 Apache CVE debrief
The CVE record describes an Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. This results in the helper verifying the token signature, subject and issuer but not enforcing the token's validity window: an access token that is expired, or not yet valid, is accepted as valid.
- Vendor
- Apache
- Product
- Camel
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-06
- Original CVE updated
- 2026-07-08
- Advisory published
- 2026-07-06
- Advisory updated
- 2026-07-08
Who should care
Users of Apache Camel from version 4.18.0 before 4.18.3, and from 4.19.0 before 4.21.0, should be aware of this vulnerability and take necessary actions to upgrade or apply mitigations.
Technical summary
The KeycloakSecurityHelper.parseAndVerifyAccessToken method in Apache Camel Keycloak Component does not enforce token expiration due to incomplete checks. Specifically, it uses Keycloak's TokenVerifier.withChecks(...) with only subject-exists and realm-URL (issuer) checks, omitting the IS_ACTIVE predicate that validates token's exp (expiration) and nbf (not-before) claims. Consequently, expired or not-yet-valid access tokens are accepted as valid, posing a security risk to routes relying on this helper for authentication.
Defensive priority
High priority should be given to upgrading to version 4.21.0 or applying recommended mitigations, as the vulnerability has a critical CVSS score of 9.8.
Recommended defensive actions
- Upgrade to Apache Camel version 4.21.0
- If on 4.18.x releases stream, upgrade to 4.18.3
- Enforce token expiration outside the helper by validating access token's exp/nbf claims in the route
- Keep Keycloak access-token lifetimes short
- Ensure any upstream gateway or resource server also validates the token validity window
Evidence notes
The CVE record and NVD detail provide information on the vulnerability, affected versions, and recommended actions. The vendor advisory and third-party advisory references offer additional guidance on mitigation and remediation.
Official resources
-
CVE-2026-46455 CVE record
CVE.org
-
CVE-2026-46455 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:36.573Z and has not been modified since then.