Apache Camel Patches Critical Keycloak & LevelDB Flaws

Maintainers of Apache Camel, the widely adopted open-source framework that empowers you to quickly and easily integrate various systems consuming or producing data, have issued security updates to fix two “important” severity vulnerabilities.

The flaws, which impact the camel-keycloak and camel-leveldb components, could allow attackers to bypass critical authentication boundaries or execute unauthorized code via untrusted data deserialization.

The first vulnerability, tracked as CVE-2026-23552, affects the camel-keycloak component and strikes at the heart of identity and access management.

According to the advisory, the issue is a “Cross-Realm Token Acceptance Bypass in KeycloakSecurity Policy”. In affected configurations, a token issued by one Keycloak realm might be improperly accepted by a policy meant for a completely different realm. This effectively breaks tenant isolation, allowing users authenticated in one domain to potentially access resources in another.

The second vulnerability, CVE-2026-25747, resides within the camel-leveldb component.

This flaw is categorized as a “Deserialization of Untrusted Data vulnerability”. Deserialization vulnerabilities are notoriously dangerous in Java environments. When an application reads serialized data from an untrusted source without proper filtering or validation, an attacker can craft a malicious object that, upon being deserialized, executes arbitrary code or causes a denial of service.

Because Apache Camel acts as the central nervous system for routing data between countless enterprise applications, securing these endpoints is critical. Developers and system administrators running affected versions of either component are strongly urged to apply the relevant patches immediately.

For both vulnerabilities, upgrading to version 4.18.0 (or the corresponding patched version for your specific LTS branch, such as 4.10.9 or 4.14.5 for LevelDB) will secure your integration pipelines against these threats.

Related Posts:

• Severe Apache Camel Exploit (CVE-2025-29891) Disclosed – Technical Details and PoC Released
• Apache Under Attack: Critical RCE Flaws in Tomcat & Camel Spark Thousands of Exploit Attempts
• Apache Camel Vulnerability (CVE-2025-27636) Exposes Applications to RCE, PoC Releases
• Keycloak Patches Vulnerabilities, Mitigates DDoS and Data Theft Risks