CVE-2026-40022: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Apache Software Foundation Apache Camel Platform HTTP Main
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.
AI Analysis
Technical Summary
This vulnerability arises from the way Apache Camel's embedded HTTP server and management server handle authentication paths. When a non-root context path is configured and the authentication path is not explicitly set, the authentication handler matches only the exact context path, not its subpaths, due to the Vert.x sub-router mounting model. Consequently, unauthenticated requests to subpaths bypass authentication checks, reaching protected routes and management endpoints. This can lead to unauthorized access and information disclosure via endpoints like /observe/info. Affected versions include Apache Camel 4.14.1 up to but not including 4.14.6, and 4.18.0 up to but not including 4.18.2. Upgrading to 4.14.6, 4.18.2, or 4.20.0 resolves the issue.
Potential Impact
Unauthenticated attackers can bypass authentication on subpaths of configured context paths, potentially accessing protected business routes and management endpoints without credentials. Sensitive runtime metadata such as user identity, working directory, process ID, JVM, and operating system information may be disclosed via the /observe/info endpoint. This could aid attackers in further reconnaissance or exploitation.
Mitigation Recommendations
Users should upgrade Apache Camel to version 4.14.6 if using the 4.14.x LTS stream, to 4.18.2 if using the 4.18.x LTS stream, or to 4.20.0 or later. These versions include fixes that correctly enforce authentication on subpaths. Patch status is confirmed by the vendor advisory recommending these upgrades. No alternative mitigations are indicated.
CVE-2026-40022: CWE-288 Authentication Bypass Using an Alternate Path or Channel in Apache Software Foundation Apache Camel Platform HTTP Main
Description
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability arises from the way Apache Camel's embedded HTTP server and management server handle authentication paths. When a non-root context path is configured and the authentication path is not explicitly set, the authentication handler matches only the exact context path, not its subpaths, due to the Vert.x sub-router mounting model. Consequently, unauthenticated requests to subpaths bypass authentication checks, reaching protected routes and management endpoints. This can lead to unauthorized access and information disclosure via endpoints like /observe/info. Affected versions include Apache Camel 4.14.1 up to but not including 4.14.6, and 4.18.0 up to but not including 4.18.2. Upgrading to 4.14.6, 4.18.2, or 4.20.0 resolves the issue.
Potential Impact
Unauthenticated attackers can bypass authentication on subpaths of configured context paths, potentially accessing protected business routes and management endpoints without credentials. Sensitive runtime metadata such as user identity, working directory, process ID, JVM, and operating system information may be disclosed via the /observe/info endpoint. This could aid attackers in further reconnaissance or exploitation.
Mitigation Recommendations
Users should upgrade Apache Camel to version 4.14.6 if using the 4.14.x LTS stream, to 4.18.2 if using the 4.18.x LTS stream, or to 4.20.0 or later. These versions include fixes that correctly enforce authentication on subpaths. Patch status is confirmed by the vendor advisory recommending these upgrades. No alternative mitigations are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-08T10:06:36.340Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ef33a6ba26a39fba15412c
Added to database: 4/27/2026, 10:00:06 AM
Last enriched: 4/27/2026, 10:15:51 AM
Last updated: 4/28/2026, 1:45:21 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.