This is an automated email from the ASF dual-hosted git repository.

oscerd pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git

commit 2ec7e606bd5437d0a9cc80ce3131eefdde1ebdc2
Author: Andrea Cosentino <[email protected]>
AuthorDate: Mon Jun 15 12:27:07 2026 +0200

    Added CVE-2026-53913
    
    Signed-off-by: Andrea Cosentino <[email protected]>
---
 content/security/CVE-2026-53913.md      | 17 +++++++++++++++++
 content/security/CVE-2026-53913.txt.asc | 31 +++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/content/security/CVE-2026-53913.md 
b/content/security/CVE-2026-53913.md
new file mode 100644
index 00000000..d5c81934
--- /dev/null
+++ b/content/security/CVE-2026-53913.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-53913"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-53913.html
+draft: false
+type: security-advisory
+cve: CVE-2026-53913
+severity: HIGH
+summary: "Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the 
bearer access token only inside its role and permission checks, so in the 
default configuration (no required roles or permissions) the token is never 
verified and any non-null bearer value is accepted - a fail-open authentication 
bypass"
+description: "The KeycloakSecurityPolicy of camel-keycloak guards a route by 
running KeycloakSecurityProcessor.beforeProcess(), which performs three checks 
in sequence: it rejects a request that carries no access token, then - only if 
requiredRoles is non-empty - validates the roles, and - only if 
requiredPermissions is non-empty - validates the permissions. The actual 
cryptographic verification of the bearer access token (signature, issuer and 
expiry for a local JWT, or active-state and [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. For deployments that cannot upgrade immediately, 
configure a non-empty requiredRoles or requiredPermissions on every 
KeycloakSecurityPolicy so that the token-verification path is exercised, set 
allowTokenFromHeader to false where the token is not expected from the request 
header, or perform token verification at  [...]
+credit: "This issue was discovered by Lidor Ben Shitrit from Novee Security"
+affected: "From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0."
+fixed: 4.18.3 and 4.21.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23738 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23958 (commit 
1477cb4e87b2c301f1cdcddca5b153fbbef6934b) and backported to camel-4.18.x 
(commit b62170072348cc4073ddf705ad716aa3678d6c09). The fix makes 
KeycloakSecurityProcessor.beforeProcess() always authenticate the access token 
when one is present, independently of whether rol [...]
diff --git a/content/security/CVE-2026-53913.txt.asc 
b/content/security/CVE-2026-53913.txt.asc
new file mode 100644
index 00000000..51bb8aa3
--- /dev/null
+++ b/content/security/CVE-2026-53913.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-53913"
+date: 2026-06-11T10:00:00+02:00
+url: /security/CVE-2026-53913.html
+draft: false
+type: security-advisory
+cve: CVE-2026-53913
+severity: HIGH
+summary: "Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the 
bearer access token only inside its role and permission checks, so in the 
default configuration (no required roles or permissions) the token is never 
verified and any non-null bearer value is accepted - a fail-open authentication 
bypass"
+description: "The KeycloakSecurityPolicy of camel-keycloak guards a route by 
running KeycloakSecurityProcessor.beforeProcess(), which performs three checks 
in sequence: it rejects a request that carries no access token, then - only if 
requiredRoles is non-empty - validates the roles, and - only if 
requiredPermissions is non-empty - validates the permissions. The actual 
cryptographic verification of the bearer access token (signature, issuer and 
expiry for a local JWT, or active-state and [...]
+mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes 
the issue. If users are on the 4.18.x releases stream, then they are suggested 
to upgrade to 4.18.3. For deployments that cannot upgrade immediately, 
configure a non-empty requiredRoles or requiredPermissions on every 
KeycloakSecurityPolicy so that the token-verification path is exercised, set 
allowTokenFromHeader to false where the token is not expected from the request 
header, or perform token verification at  [...]
+credit: "This issue was discovered by Lidor Ben Shitrit from Novee Security"
+affected: "From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0."
+fixed: 4.18.3 and 4.21.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23738 refers to 
the various commits that resolved the issue, and have more details. The fix was 
merged on main in https://github.com/apache/camel/pull/23958 (commit 
1477cb4e87b2c301f1cdcddca5b153fbbef6934b) and backported to camel-4.18.x 
(commit b62170072348cc4073ddf705ad716aa3678d6c09). The fix makes 
KeycloakSecurityProcessor.beforeProcess() always authenticate the access token 
when one is present, independently of whether rol [...]
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/
+QQB2pAf+JGsU4P7qMm29/EJMFDv1myuKYrK8V7Ft0ShxmcO4lxSlGpaY2Ht4vqS6
+cfYK3twDSp3PyDbyPmfV0vjYT5tuYKKLZAL4S3GX1MmMhEtnCMkiGZ/EyU7ZaaJ/
++Kzkmsh1zS69XikwGIaVRwd3bY0H/IjfHO2XVoAcXikJ0LX4x3g/7CjwQNVfLMHV
+2X7MyDeSwlmvuo8p9LyNG+aIUk/QX8ncezbshRrRgbCoF/q2Y75wthPjrSTIIUok
+KS4WNhqT5l3mVc7TbNJQn3TZ+aY0/40ydpDabBTiEuYcyIhsTP6Qpuop0fCIK+bf
+p5r0V24ABl97PaKVRwROdH4AKYJokA==
+=uDCR
+-----END PGP SIGNATURE-----

Reply via email to