This is an automated email from the ASF dual-hosted git repository. oscerd pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel-website.git
commit 2ec7e606bd5437d0a9cc80ce3131eefdde1ebdc2 Author: Andrea Cosentino <[email protected]> AuthorDate: Mon Jun 15 12:27:07 2026 +0200 Added CVE-2026-53913 Signed-off-by: Andrea Cosentino <[email protected]> --- content/security/CVE-2026-53913.md | 17 +++++++++++++++++ content/security/CVE-2026-53913.txt.asc | 31 +++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/content/security/CVE-2026-53913.md b/content/security/CVE-2026-53913.md new file mode 100644 index 00000000..d5c81934 --- /dev/null +++ b/content/security/CVE-2026-53913.md @@ -0,0 +1,17 @@ +--- +title: "Apache Camel Security Advisory - CVE-2026-53913" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-53913.html +draft: false +type: security-advisory +cve: CVE-2026-53913 +severity: HIGH +summary: "Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass" +description: "The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at [...] +credit: "This issue was discovered by Lidor Ben Shitrit from Novee Security" +affected: "From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.18.3 and 4.21.0 +--- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23738 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23958 (commit 1477cb4e87b2c301f1cdcddca5b153fbbef6934b) and backported to camel-4.18.x (commit b62170072348cc4073ddf705ad716aa3678d6c09). The fix makes KeycloakSecurityProcessor.beforeProcess() always authenticate the access token when one is present, independently of whether rol [...] diff --git a/content/security/CVE-2026-53913.txt.asc b/content/security/CVE-2026-53913.txt.asc new file mode 100644 index 00000000..51bb8aa3 --- /dev/null +++ b/content/security/CVE-2026-53913.txt.asc @@ -0,0 +1,31 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +- --- +title: "Apache Camel Security Advisory - CVE-2026-53913" +date: 2026-06-11T10:00:00+02:00 +url: /security/CVE-2026-53913.html +draft: false +type: security-advisory +cve: CVE-2026-53913 +severity: HIGH +summary: "Apache Camel: Camel-Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration (no required roles or permissions) the token is never verified and any non-null bearer value is accepted - a fail-open authentication bypass" +description: "The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess(), which performs three checks in sequence: it rejects a request that carries no access token, then - only if requiredRoles is non-empty - validates the roles, and - only if requiredPermissions is non-empty - validates the permissions. The actual cryptographic verification of the bearer access token (signature, issuer and expiry for a local JWT, or active-state and [...] +mitigation: "Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. For deployments that cannot upgrade immediately, configure a non-empty requiredRoles or requiredPermissions on every KeycloakSecurityPolicy so that the token-verification path is exercised, set allowTokenFromHeader to false where the token is not expected from the request header, or perform token verification at [...] +credit: "This issue was discovered by Lidor Ben Shitrit from Novee Security" +affected: "From 4.15.0 before 4.18.3, from 4.19.0 before 4.21.0." +fixed: 4.18.3 and 4.21.0 +- --- + +The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23738 refers to the various commits that resolved the issue, and have more details. The fix was merged on main in https://github.com/apache/camel/pull/23958 (commit 1477cb4e87b2c301f1cdcddca5b153fbbef6934b) and backported to camel-4.18.x (commit b62170072348cc4073ddf705ad716aa3678d6c09). The fix makes KeycloakSecurityProcessor.beforeProcess() always authenticate the access token when one is present, independently of whether rol [...] +-----BEGIN PGP SIGNATURE----- + +iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmovx0oACgkQ406fOAL/ +QQB2pAf+JGsU4P7qMm29/EJMFDv1myuKYrK8V7Ft0ShxmcO4lxSlGpaY2Ht4vqS6 +cfYK3twDSp3PyDbyPmfV0vjYT5tuYKKLZAL4S3GX1MmMhEtnCMkiGZ/EyU7ZaaJ/ ++Kzkmsh1zS69XikwGIaVRwd3bY0H/IjfHO2XVoAcXikJ0LX4x3g/7CjwQNVfLMHV +2X7MyDeSwlmvuo8p9LyNG+aIUk/QX8ncezbshRrRgbCoF/q2Y75wthPjrSTIIUok +KS4WNhqT5l3mVc7TbNJQn3TZ+aY0/40ydpDabBTiEuYcyIhsTP6Qpuop0fCIK+bf +p5r0V24ABl97PaKVRwROdH4AKYJokA== +=uDCR +-----END PGP SIGNATURE-----
