Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN188
_____________________________________________________________________

DATE                : 18/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Apache Camel versions prior
                              to 4.18.0, 4.10.9, 4.14.5.

=====================================================================
https://lists.apache.org/thread/5474y4xnj1sjrjlq3s5cvddd58sj3bq7
https://lists.apache.org/thread/5pb0xpbjtw2p6qn9smq3b6l811v4n80y
_____________________________________________________________________

https://camel.apache.org/security/CVE-2026-25747.html: CVE-2026-25747:
Apache Camel: Deserialization of Untrusted Data in Camel LevelDB

Severity: important

Affected versions:

- Apache Camel (org.apache.camel:camel-leveldb) 4.10.0 before 4.10.9
- Apache Camel (org.apache.camel:camel-leveldb) 4.14.0 before 4.14.5
- Apache Camel (org.apache.camel:camel-leveldb) 4.15.0 before 4.18.0

Description:

Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB
component.

This issue affects Apache Camel: from 4.10.0 before 4.10.8, from
4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the
issue. For the 4.10.x LTS releases, users are recommended to upgrade
to 4.10.9, while for 4.14.x LTS releases, users are recommended to
upgrade to 4.14.5

This issue is being tracked as CAMEL-22966

Credit:

Andrea Cosentino (finder)
Andrea Cosentino (remediation developer)

References:

https://github.com/oscerd/CVE-2026-25747
https://camel.apache.org/security/CVE-2026-25747.html
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-25747
https://issues.apache.org/jira/browse/CAMEL-22966

_____________________________________________________________________

https://camel.apache.org/security/CVE-2026-23552.html: CVE-2026-23552:
Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in
KeycloakSecurityPolicy

Severity: important

Affected versions:

- Apache Camel (org.apache.camel:camel-keycloak) 4.15.0 before 4.18.0

Description:

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache
Camel Keycloak component.

This issue affects Apache Camel: from 4.15.0 before 4.18.0.

Users are recommended to upgrade to version 4.18.0, which fixes the
issue.

This issue is being tracked as CAMEL-22854

Credit:

Andrea Cosentino (finder)
Andrea Cosentino (remediation developer)

References:

https://camel.apache.org/security/CVE-2026-23552.html
https://github.com/oscerd/CVE-2026-23552
https://camel.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-23552
https://issues.apache.org/jira/browse/CAMEL-22854

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================