Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-46455 (GCVE-0-2026-46455)
Vulnerability from cvelistv5 – Published: 2026-07-06 07:56 – Updated: 2026-07-06 19:29- CWE-613 - Insufficient Session Expiration
| Vendor | Product | Version | |
|---|---|---|---|
| Apache Software Foundation | Apache Camel |
Affected:
4.18.0 , < 4.18.3
(semver)
Affected: 4.19.0 , < 4.21.0 (semver) |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-07-06T09:25:13.360Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/8"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-46455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:29:09.924590Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:29:29.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-keycloak",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.18.3",
"status": "affected",
"version": "4.18.0",
"versionType": "semver"
},
{
"lessThan": "4.21.0",
"status": "affected",
"version": "4.19.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Yu Bao from Paypal"
},
{
"lang": "en",
"type": "finder",
"value": "Andrea Cosentino from Apache Software Foundation"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eInsufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\u003c/p\u003eThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.\u003c/p\u003e"
}
],
"value": "Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\n\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-613",
"description": "CWE-613 Insufficient Session Expiration",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T07:56:29.905Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://camel.apache.org/security/CVE-2026-46455.html"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2026-46455",
"datePublished": "2026-07-06T07:56:29.905Z",
"dateReserved": "2026-05-14T08:55:41.867Z",
"dateUpdated": "2026-07-06T19:29:29.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-46455",
"date": "2026-07-06",
"epss": "0.00152",
"percentile": "0.04706"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-46455\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-07-06T09:16:36.573\",\"lastModified\":\"2026-07-06T20:16:34.090\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\\n\\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\\n\\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.\"}],\"affected\":[{\"source\":\"security@apache.org\",\"affectedData\":[{\"vendor\":\"Apache Software Foundation\",\"product\":\"Apache Camel\",\"defaultStatus\":\"unaffected\",\"collectionURL\":\"https://repo.maven.apache.org/maven2\",\"packageName\":\"org.apache.camel:camel-keycloak\",\"versions\":[{\"version\":\"4.18.0\",\"lessThan\":\"4.18.3\",\"versionType\":\"semver\",\"status\":\"affected\"},{\"version\":\"4.19.0\",\"lessThan\":\"4.21.0\",\"versionType\":\"semver\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-07-06T19:29:09.924590Z\",\"id\":\"CVE-2026-46455\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-613\"}]}],\"references\":[{\"url\":\"https://camel.apache.org/security/CVE-2026-46455.html\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/07/05/8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/07/05/8\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-07-06T09:25:13.360Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-46455\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-07-06T19:29:09.924590Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-07-06T19:29:25.823Z\"}}], \"cna\": {\"title\": \"Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Yu Bao from Paypal\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Andrea Cosentino from Apache Software Foundation\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Camel\", \"versions\": [{\"status\": \"affected\", \"version\": \"4.18.0\", \"lessThan\": \"4.18.3\", \"versionType\": \"semver\"}, {\"status\": \"affected\", \"version\": \"4.19.0\", \"lessThan\": \"4.21.0\", \"versionType\": \"semver\"}], \"packageName\": \"org.apache.camel:camel-keycloak\", \"collectionURL\": \"https://repo.maven.apache.org/maven2\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://camel.apache.org/security/CVE-2026-46455.html\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\\n\\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\\n\\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eInsufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\u003c/p\u003eThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\u003cbr\u003e\u003cp\u003eThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-613\", \"description\": \"CWE-613 Insufficient Session Expiration\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-07-06T07:56:29.905Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-46455\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-07-06T19:29:29.570Z\", \"dateReserved\": \"2026-05-14T08:55:41.867Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-07-06T07:56:29.905Z\", \"assignerShortName\": \"apache\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-46455
Vulnerability from fkie_nvd - Published: 2026-07-06 09:16 - Updated: 2026-07-06 20:16| Vendor | Product | Version |
|---|
{
"affected": [
{
"affectedData": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.camel:camel-keycloak",
"product": "Apache Camel",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "4.18.3",
"status": "affected",
"version": "4.18.0",
"versionType": "semver"
},
{
"lessThan": "4.21.0",
"status": "affected",
"version": "4.19.0",
"versionType": "semver"
}
]
}
],
"source": "security@apache.org"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\n\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window."
}
],
"id": "CVE-2026-46455",
"lastModified": "2026-07-06T20:16:34.090",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
],
"ssvcV203": [
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"ssvcData": {
"id": "CVE-2026-46455",
"options": [
{
"exploitation": "none"
},
{
"automatable": "yes"
},
{
"technicalImpact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:29:09.924590Z",
"version": "2.0.3"
}
}
]
},
"published": "2026-07-06T09:16:36.573",
"references": [
{
"source": "security@apache.org",
"url": "https://camel.apache.org/security/CVE-2026-46455.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/8"
}
],
"sourceIdentifier": "security@apache.org",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-613"
}
],
"source": "security@apache.org",
"type": "Secondary"
}
]
}
GHSA-MQWC-6QWC-V9GQ
Vulnerability from github – Published: 2026-07-06 09:30 – Updated: 2026-07-06 21:30Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.
The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak's TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token's exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token's validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime. This issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.
Users are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak's default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token's exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.
{
"affected": [],
"aliases": [
"CVE-2026-46455"
],
"database_specific": {
"cwe_ids": [
"CWE-613"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-06T09:16:36Z",
"severity": "CRITICAL"
},
"details": "Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component.\n\nThe camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) with only the subject-exists check and the realm-URL (issuer) check. Keycloak\u0027s TokenVerifier.withChecks(...) appends to an initially empty check list - the upstream default checks are installed only when withDefaultChecks() is called - so the built-in IS_ACTIVE predicate, which validates the token\u0027s exp (expiration) and nbf (not-before) claims, is never applied. As a result the helper verifies the token signature, subject and issuer but does not enforce the token\u0027s validity window: an access token that is expired, or not yet valid, is accepted as valid. Routes that rely on this helper to authenticate inbound requests therefore accept access tokens that are outside their intended lifetime.\nThis issue affects Apache Camel: from 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0.\n\nUsers are recommended to upgrade to version 4.21.0, which fixes the issue. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.3. The fix makes KeycloakSecurityHelper.parseAndVerifyAccessToken include the TokenVerifier.IS_ACTIVE check so that expired or not-yet-valid access tokens are rejected, aligning the helper with Keycloak\u0027s default check set. For deployments that cannot upgrade immediately, enforce token expiration outside the helper - for example validate the access token\u0027s exp/nbf claims in the route before trusting it, keep Keycloak access-token lifetimes short, and ensure any upstream gateway or resource server also validates the token validity window.",
"id": "GHSA-mqwc-6qwc-v9gq",
"modified": "2026-07-06T21:30:36Z",
"published": "2026-07-06T09:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46455"
},
{
"type": "WEB",
"url": "https://camel.apache.org/security/CVE-2026-46455.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2026/07/05/8"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
WID-SEC-W-2026-2203
Vulnerability from csaf_certbund - Published: 2026-07-05 22:00 - Updated: 2026-07-06 22:00| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Apache Camel <4.18.3
Apache / Camel
|
<4.18.3 | ||
|
Apache Camel <4.21.0
Apache / Camel
|
<4.21.0 | ||
|
Apache Camel <4.14.8
Apache / Camel
|
<4.14.8 | ||
|
Apache Camel <4.20.0
Apache / Camel
|
<4.20.0 | ||
|
Apache Camel <4.19.0
Apache / Camel
|
<4.19.0 |
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Apache Camel ist ein Integrations-Framework, das Enterprise Integration Patterns implementiert.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein Angreifer kann mehrere Schwachstellen in Apache Camel ausnutzen, um beliebigen Programmcode auszuf\u00fchren, Sicherheitsma\u00dfnahmen zu umgehen, serverseitige Request-Forgery durchzuf\u00fchren, vertrauliche Informationen offenzulegen oder Daten zu manipulieren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Sonstiges\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2026-2203 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-2203.json"
},
{
"category": "self",
"summary": "WID-SEC-2026-2203 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-2203"
},
{
"category": "external",
"summary": "Apache Camel Security Information vom 2026-07-05",
"url": "https://camel.apache.org/security/"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-40047.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-40859.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-43865.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-43866.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46453.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46454.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46455.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46456.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46457.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46584.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46585.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46590.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46591.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46592.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-46726.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-48203.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-48204.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-48205.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-48206.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-49086.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-49097.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-49098.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-49099.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-49365.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-53913.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-55993.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-55994.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-56139.html"
},
{
"category": "external",
"summary": "Apache Camel Security Advisory vom 2026-07-05",
"url": "https://camel.apache.org/security/CVE-2026-56140.html"
}
],
"source_lang": "en-US",
"title": "Apache Camel: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2026-07-06T22:00:00.000+00:00",
"generator": {
"date": "2026-07-07T07:46:44.546+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.6.0"
}
},
"id": "WID-SEC-W-2026-2203",
"initial_release_date": "2026-07-05T22:00:00.000+00:00",
"revision_history": [
{
"date": "2026-07-05T22:00:00.000+00:00",
"number": "1",
"summary": "Initiale Fassung"
},
{
"date": "2026-07-06T22:00:00.000+00:00",
"number": "2",
"summary": "CVE-Nummern erg\u00e4nzt"
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.18.3",
"product": {
"name": "Apache Camel \u003c4.18.3",
"product_id": "T056164"
}
},
{
"category": "product_version",
"name": "4.18.3",
"product": {
"name": "Apache Camel 4.18.3",
"product_id": "T056164-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:camel:4.18.3"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.21.0",
"product": {
"name": "Apache Camel \u003c4.21.0",
"product_id": "T056165"
}
},
{
"category": "product_version",
"name": "4.21.0",
"product": {
"name": "Apache Camel 4.21.0",
"product_id": "T056165-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:camel:4.21.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.14.8",
"product": {
"name": "Apache Camel \u003c4.14.8",
"product_id": "T056166"
}
},
{
"category": "product_version",
"name": "4.14.8",
"product": {
"name": "Apache Camel 4.14.8",
"product_id": "T056166-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:camel:4.14.8"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.20.0",
"product": {
"name": "Apache Camel \u003c4.20.0",
"product_id": "T056168"
}
},
{
"category": "product_version",
"name": "4.20.0",
"product": {
"name": "Apache Camel 4.20.0",
"product_id": "T056168-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:camel:4.20.0"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.19.0",
"product": {
"name": "Apache Camel \u003c4.19.0",
"product_id": "T056169"
}
},
{
"category": "product_version",
"name": "4.19.0",
"product": {
"name": "Apache Camel 4.19.0",
"product_id": "T056169-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:apache:camel:4.19.0"
}
}
}
],
"category": "product_name",
"name": "Camel"
}
],
"category": "vendor",
"name": "Apache"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-40047",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-40047"
},
{
"cve": "CVE-2026-40859",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-40859"
},
{
"cve": "CVE-2026-43865",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-43865"
},
{
"cve": "CVE-2026-43866",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-43866"
},
{
"cve": "CVE-2026-43867",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-43867"
},
{
"cve": "CVE-2026-46453",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46453"
},
{
"cve": "CVE-2026-46454",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46454"
},
{
"cve": "CVE-2026-46455",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46455"
},
{
"cve": "CVE-2026-46456",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46456"
},
{
"cve": "CVE-2026-46457",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46457"
},
{
"cve": "CVE-2026-46584",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46584"
},
{
"cve": "CVE-2026-46585",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46585"
},
{
"cve": "CVE-2026-46587",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46587"
},
{
"cve": "CVE-2026-46588",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46588"
},
{
"cve": "CVE-2026-46590",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46590"
},
{
"cve": "CVE-2026-46591",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46591"
},
{
"cve": "CVE-2026-46592",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46592"
},
{
"cve": "CVE-2026-46726",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-46726"
},
{
"cve": "CVE-2026-48203",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-48203"
},
{
"cve": "CVE-2026-48204",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-48204"
},
{
"cve": "CVE-2026-48205",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-48205"
},
{
"cve": "CVE-2026-48206",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-48206"
},
{
"cve": "CVE-2026-49042",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-49042"
},
{
"cve": "CVE-2026-49086",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-49086"
},
{
"cve": "CVE-2026-49097",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-49097"
},
{
"cve": "CVE-2026-49098",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-49098"
},
{
"cve": "CVE-2026-49099",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-49099"
},
{
"cve": "CVE-2026-49365",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-49365"
},
{
"cve": "CVE-2026-53913",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-53913"
},
{
"cve": "CVE-2026-55993",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-55993"
},
{
"cve": "CVE-2026-55994",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-55994"
},
{
"cve": "CVE-2026-56139",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-56139"
},
{
"cve": "CVE-2026-56140",
"product_status": {
"known_affected": [
"T056164",
"T056165",
"T056166",
"T056168",
"T056169"
]
},
"release_date": "2026-07-05T22:00:00.000+00:00",
"title": "CVE-2026-56140"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.