{"schema_version": "1.6.1", "id": "CVE-2026-23552", "summary": "Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy", "details": "Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. \n\nThe Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.\nThis issue affects Apache Camel: from 4.15.0 before 4.18.0.\n\nUsers are recommended to upgrade to version 4.18.0, which fixes the issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "4.15.0"}, {"fixed": "4.18.0"}]}]}], "references": [{"type": "WEB", "url": "https://camel.apache.org/security/CVE-2026-23552.html"}, {"type": "WEB", "url": "https://github.com/oscerd/CVE-2026-23552"}]}