CVE-2026-46455 -- CVSS 9.8 Vulnerability Briefing
CVE-2026-46455 | CVSS 9.8 (Critical) | Exploit: No known exploit
What Is It
CVE-2026-46455 is an Insufficient Session Expiration vulnerability in the Apache Camel Keycloak Component, specifically within the KeycloakSecurityHelper.parseAndVerifyAccessToken method of the camel-keycloak security helper.
Technical Detail
The flaw exists in how KeycloakSecurityHelper.parseAndVerifyAccessToken constructs a Keycloak TokenVerifier, where token expiration is not properly enforced, allowing expired access tokens to be accepted as valid. An attacker in possession of an expired Keycloak access token could present it to a Camel-based application and have it treated as authenticated, effectively achieving an authentication bypass. The practical impact is unauthorized access to protected routes and resources within applications built on Apache Camel that rely on the camel-keycloak component for security enforcement.
Exploitation Status
No known exploit exists for this vulnerability at this time. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Despite the critical CVSS score of 9.8, there is no public proof-of-concept code or evidence of active exploitation as of July 13, 2026.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor activity has been associated with this vulnerability.
What To Do
Organizations using Apache Camel with the camel-keycloak component should treat this as a high-priority patch given the critical CVSS score and the nature of the authentication bypass. Apply the latest patched version of Apache Camel as soon as it becomes available from the Apache Software Foundation. As an interim workaround, consider implementing token expiration validation at an additional layer, such as at the API gateway or reverse proxy level, to reject expired tokens before they reach the Camel application. Audit any applications that use KeycloakSecurityHelper.parseAndVerifyAccessToken to assess exposure. Monitor Keycloak access logs for anomalous use of expired tokens as a detection signal while patches are being applied.