This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-website.git
The following commit(s) were added to refs/heads/main by this push:
new 2adf6a09 Added CVE-2026-23552 and CVE-2026-25747 (#1514)
2adf6a09 is described below
commit 2adf6a09a605b8df8dbdaa277b3889d041fa298b
Author: Andrea Cosentino <[email protected]>
AuthorDate: Wed Feb 18 10:02:19 2026 +0100
Added CVE-2026-23552 and CVE-2026-25747 (#1514)
Signed-off-by: Andrea Cosentino <[email protected]>
---
content/security/CVE-2026-23552.md | 17 +++++++++++++++++
content/security/CVE-2026-23552.txt.asc | 31 +++++++++++++++++++++++++++++++
content/security/CVE-2026-25747.md | 17 +++++++++++++++++
content/security/CVE-2026-25747.txt.asc | 31 +++++++++++++++++++++++++++++++
4 files changed, 96 insertions(+)
diff --git a/content/security/CVE-2026-23552.md
b/content/security/CVE-2026-23552.md
new file mode 100644
index 00000000..aec127fb
--- /dev/null
+++ b/content/security/CVE-2026-23552.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-23552"
+date: 2026-02-17T09:00:00+02:00
+url: /security/CVE-2026-23552.html
+draft: false
+type: security-advisory
+cve: CVE-2026-23552
+severity: HIGH
+summary: "Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance in
KeycloakSecurityPolicy"
+description: "The Camel-Keycloak KeycloakSecurityPolicy does not validate the
iss (issuer) claim of JWT tokens against the configured realm. A token issued
by one Keycloak realm is silently accepted by a policy configured for a
completely different realm, breaking tenant isolation."
+mitigation: "Users are recommended to upgrade to version 4.18.0, which fixes
the issue."
+credit: "This issue was discovered by Andrea Cosentino from Apache Software
Foundation"
+affected: From 4.15.0 before 4.18.0.
+fixed: 4.18.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-22854 refers to
the various commits that resolved the issue, and have more details.
diff --git a/content/security/CVE-2026-23552.txt.asc
b/content/security/CVE-2026-23552.txt.asc
new file mode 100644
index 00000000..6872f1a4
--- /dev/null
+++ b/content/security/CVE-2026-23552.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-23552"
+date: 2026-02-17T09:00:00+02:00
+url: /security/CVE-2026-23552.html
+draft: false
+type: security-advisory
+cve: CVE-2026-23552
+severity: HIGH
+summary: "Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance in
KeycloakSecurityPolicy"
+description: "The Camel-Keycloak KeycloakSecurityPolicy does not validate the
iss (issuer) claim of JWT tokens against the configured realm. A token issued
by one Keycloak realm is silently accepted by a policy configured for a
completely different realm, breaking tenant isolation."
+mitigation: "Users are recommended to upgrade to version 4.18.0, which fixes
the issue."
+credit: "This issue was discovered by Andrea Cosentino from Apache Software
Foundation"
+affected: From 4.15.0 before 4.18.0.
+fixed: 4.18.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-22854 refers to
the various commits that resolved the issue, and have more details.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmmVfecACgkQ406fOAL/
+QQB7AAf+OapX92rNtAzQgkH7wO3Y7gsWscGBQlU3z3qY+kMobyp9tP+n7FRR02Vy
+hzyS+xh4bD8HHzXgl+d2dJ8FsQOKeJYqCVCCz0MC020uFL8fY/zJQx91n6CILzZ9
+tEsRSZXpcTowmXig67HYaLtDS0P7PDNnJX8ABUPAv9uSnzZUWpdVLrxI78K6xiGq
+Rjx4JFIwxXuB+thJStZqu1uv+xb6NezF4Ro/aXiam1Bu7BpujajHicz4naunFhSj
+Tzbysxt3rXmrvgXO2jobBWs4fh9WkShoSCjvXGGEvCnOjAxNSAOgkAUNzPzBdmrF
+ffM5UxGfAEixgQdg1wLeA1tS9cm2WQ==
+=0F8o
+-----END PGP SIGNATURE-----
diff --git a/content/security/CVE-2026-25747.md
b/content/security/CVE-2026-25747.md
new file mode 100644
index 00000000..f17ddd08
--- /dev/null
+++ b/content/security/CVE-2026-25747.md
@@ -0,0 +1,17 @@
+---
+title: "Apache Camel Security Advisory - CVE-2026-25747"
+date: 2026-02-18T09:00:00+02:00
+url: /security/CVE-2026-25747.html
+draft: false
+type: security-advisory
+cve: CVE-2026-25747
+severity: HIGH
+summary: "Apache Camel: Camel-LevelDB: Unsafe Deserialization from
LevelDBAggregationRepository"
+description: "The Camel-LevelDB DefaultLevelDBSerializer class deserializes
data read from the LevelDB aggregation repository using
java.io.ObjectInputStream without applying any ObjectInputFilter or
class-loading restrictions. An attacker who can write to the LevelDB database
files used by a Camel application can inject a crafted serialized Java object
that, when deserialized during normal aggregation repository operations,
results in arbitrary code execution in the context of the appli [...]
+mitigation: "Users are recommended to upgrade to version 4.18.0, which fixes
the issue. If users are on the 4.10.x LTS releases stream, then they are
suggested to upgrade to 4.10.9. If users are on the 4.14.x LTS releases stream,
then they are suggested to upgrade to 4.14.5."
+credit: "This issue was discovered by Andrea Cosentino from Apache Software
Foundation"
+affected: From 3.0.0 before 4.10.9, from 4.11.0 before 4.14.5, from 4.15.0
before 4.18.0.
+fixed: 4.10.9, 4.14.5 and 4.18.0
+---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-22966 refers to
the various commits that resolved the issue, and have more details.
diff --git a/content/security/CVE-2026-25747.txt.asc
b/content/security/CVE-2026-25747.txt.asc
new file mode 100644
index 00000000..0100c998
--- /dev/null
+++ b/content/security/CVE-2026-25747.txt.asc
@@ -0,0 +1,31 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA512
+
+- ---
+title: "Apache Camel Security Advisory - CVE-2026-25747"
+date: 2026-02-18T09:00:00+02:00
+url: /security/CVE-2026-25747.html
+draft: false
+type: security-advisory
+cve: CVE-2026-25747
+severity: HIGH
+summary: "Apache Camel: Camel-LevelDB: Unsafe Deserialization from
LevelDBAggregationRepository"
+description: "The Camel-LevelDB DefaultLevelDBSerializer class deserializes
data read from the LevelDB aggregation repository using
java.io.ObjectInputStream without applying any ObjectInputFilter or
class-loading restrictions. An attacker who can write to the LevelDB database
files used by a Camel application can inject a crafted serialized Java object
that, when deserialized during normal aggregation repository operations,
results in arbitrary code execution in the context of the appli [...]
+mitigation: "Users are recommended to upgrade to version 4.18.0, which fixes
the issue. If users are on the 4.10.x LTS releases stream, then they are
suggested to upgrade to 4.10.9. If users are on the 4.14.x LTS releases stream,
then they are suggested to upgrade to 4.14.5."
+credit: "This issue was discovered by Andrea Cosentino from Apache Software
Foundation"
+affected: From 3.0.0 before 4.10.9, from 4.11.0 before 4.14.5, from 4.15.0
before 4.18.0.
+fixed: 4.10.9, 4.14.5 and 4.18.0
+- ---
+
+The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-22966 refers to
the various commits that resolved the issue, and have more details.
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAEBCgAdFiEEJ2Y0ButtuvUpHyYV406fOAL/QQAFAmmVffUACgkQ406fOAL/
+QQA54wf/bVarLmuaZu3lfQ4WIcMI1dxloORfKzunL+RmtzBuLcZV0jwVSaRp6EeT
+tzZiOw4ygk7Cih9sOeKI3TuIDpoCWIkvHdE9lU0AG0t+6fXH+xxB67juRtUJ+zKE
+Ws0D67EHQFXH8YCsoBEwiBxEzc5wMRN24we2QDd6Dr5h0ZCsWMg70+vYlEY6vp25
+GXaj0qu+LZNTCYTWfylbtTeNyBx9ZPahFp1JZlgpIk9AfSKyJSHbDRZ4JWiwYjcC
+TQf5Ejyi+OlBv+kNKELOEWs94g6IJmz57MrKqnRVzpU2DMmP3BsTyuxULrBSwRgj
+AkEVipsZ/dBM4EhGnu2SY+hRvE3KNg==
+=VGCl
+-----END PGP SIGNATURE-----
