Insufficient Session Expiration in Apache Camel Keycloak Component
CVE-2026-46455

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
6 July 2026

What is CVE-2026-46455?

An Insufficient Session Expiration vulnerability exists in the Keycloak component of Apache Camel. This issue arises because the KeycloakSecurityHelper.parseAndVerifyAccessToken method improperly checks token validity, potentially allowing expired or not-yet-valid access tokens to be recognized as valid. The inherent design flaw stems from the use of the TokenVerifier with only subject and issuer checks, leading to a lack of enforcement of critical expiration claims. Consequently, applications using this helper might accept tokens outside their intended validity period. To mitigate this risk, users are encouraged to upgrade to the latest versions, specifically to 4.21.0 or 4.18.3, where these checks are properly enforced. For users unable to upgrade immediately, it is advised to implement additional expiration validations externally.

Affected Version(s)

Apache Camel 4.18.0 < 4.18.3

Apache Camel 4.19.0 < 4.21.0

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Yu Bao from Paypal
Andrea Cosentino from Apache Software Foundation
.