PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-46455 Apache CVE debrief

The CVE record describes an Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. This results in the helper verifying the token signature, subject and issuer but not enforcing the token's validity window: an access token that is expired, or not yet valid, is accepted as valid.

Vendor
Apache
Product
Camel
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-06
Original CVE updated
2026-07-08
Advisory published
2026-07-06
Advisory updated
2026-07-08

Who should care

Users of Apache Camel from version 4.18.0 before 4.18.3, and from 4.19.0 before 4.21.0, should be aware of this vulnerability and take necessary actions to upgrade or apply mitigations.

Technical summary

The KeycloakSecurityHelper.parseAndVerifyAccessToken method in Apache Camel Keycloak Component does not enforce token expiration due to incomplete checks. Specifically, it uses Keycloak's TokenVerifier.withChecks(...) with only subject-exists and realm-URL (issuer) checks, omitting the IS_ACTIVE predicate that validates token's exp (expiration) and nbf (not-before) claims. Consequently, expired or not-yet-valid access tokens are accepted as valid, posing a security risk to routes relying on this helper for authentication.

Defensive priority

High priority should be given to upgrading to version 4.21.0 or applying recommended mitigations, as the vulnerability has a critical CVSS score of 9.8.

Recommended defensive actions

  • Upgrade to Apache Camel version 4.21.0
  • If on 4.18.x releases stream, upgrade to 4.18.3
  • Enforce token expiration outside the helper by validating access token's exp/nbf claims in the route
  • Keep Keycloak access-token lifetimes short
  • Ensure any upstream gateway or resource server also validates the token validity window

Evidence notes

The CVE record and NVD detail provide information on the vulnerability, affected versions, and recommended actions. The vendor advisory and third-party advisory references offer additional guidance on mitigation and remediation.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-06T09:16:36.573Z and has not been modified since then.