Share
## https://sploitus.com/exploit?id=8D979AC1-8A2A-5291-9BA4-8FE5B8B29964
# camel-keycloak Missing IS_ACTIVE Check โ€” Expired Tokens Accepted Reproducer (CVE-2026-46455)

This project demonstrates an **authentication weakness** in Apache Camel's `camel-keycloak` component, tracked
as **CVE-2026-46455**. The security helper `KeycloakSecurityHelper.parseAndVerifyAccessToken` builds a Keycloak
`TokenVerifier` with `withChecks(...)` using only the **subject-exists** and **realm-URL (issuer)** checks.
Keycloak's `TokenVerifier.withChecks(...)` appends to an *initially empty* check list โ€” the upstream default
checks are installed only by `withDefaultChecks()` โ€” so the built-in **`IS_ACTIVE`** predicate (which validates
the token's `exp` / `nbf` claims) is **never applied**. The helper therefore verifies signature, subject and
issuer but **does not enforce the token's validity window**: an **expired** (or not-yet-valid) access token is
accepted as valid.

Advisory: https://camel.apache.org/security/CVE-2026-46455.html

## Vulnerability Summary

| Property | Value |
|----------|-------|
| **Component** | `camel-keycloak` |
| **Affected Class** | `org.apache.camel.component.keycloak.security.KeycloakSecurityHelper#parseAndVerifyAccessToken` |
| **CWE** | CWE-613 (Insufficient Session Expiration) + CWE-287 (Improper Authentication) |
| **Impact** | Expired / not-yet-valid access tokens accepted โ†’ requests authenticated outside the token lifetime |
| **Affected Versions** | From 4.18.0 before 4.18.3, from 4.19.0 before 4.21.0 (helper introduced in 4.18.0; 4.14.x LTS not affected) |
| **Fixed Versions** | 4.18.3, 4.21.0 |
| **JIRA** | CAMEL-23504 |
| **Reporters** | Andrea Cosentino (Apache Software Foundation) and Yu Bao (PayPal) |

## Technical Details

```java
// KeycloakSecurityHelper.parseAndVerifyAccessToken(...) - affected 4.18.2
TokenVerifier verifier = TokenVerifier.create(tokenString, AccessToken.class)
        .publicKey(publicKey)
        .withChecks(
                TokenVerifier.SUBJECT_EXISTS_CHECK,
                new TokenVerifier.RealmUrlCheck(expectedIssuer));   //  Minted a correctly-signed access token that expired 30 minutes ago (...).
#
#    KeycloakSecurityHelper.parseAndVerifyAccessToken -> ACCEPTED (returned token for subject 'attacker-user')
#    Same token with TokenVerifier.IS_ACTIVE (the fix)   -> rejected (expired)
#
#    >>> Auth-bypass proof โ€” helper accepted an expired token that IS_ACTIVE rejects: true
```

### Cleanup

```bash
docker compose down
```

## Attack Vectors

Any route that authenticates inbound requests through `KeycloakSecurityHelper.parseAndVerifyAccessToken` (e.g.
via `KeycloakSecurityPolicy`) accepts access tokens outside their intended lifetime โ€” a token that has expired
(or been revoked past its natural expiry, when relying on `exp`) is still treated as valid.

## Exploit Conditions

1. A route using camel-keycloak's security helper on an affected version to validate access tokens.
2. An access token that is validly signed for the expected issuer but whose validity window has passed.

## Recommended Fix

Upgrade to **4.18.3 / 4.21.0** (CAMEL-23504), which adds `TokenVerifier.IS_ACTIVE` so expired / not-yet-valid
tokens are rejected.

## Mitigation

Until upgrading:

1. Validate the access token's `exp` / `nbf` claims in the route before trusting it.
2. Keep Keycloak access-token lifetimes short.
3. Ensure any upstream gateway or resource server also enforces the token validity window.

## Disclaimer

This reproducer is provided for **security research and authorized testing only**, for a **publicly disclosed
and fixed** vulnerability. Do not use it against systems without explicit permission.