High

Authentication Bypass on Non-Root Context Paths in Apache Camel camel-platform-http-main

IdentifiersCVE-2026-40022CWE-288· Authentication Bypass Using an…

CVE-2026-40022 is an authentication bypass vulnerability in Apache Camel's camel-platform-http-main component affecting the embedded HTTP server and embedded management server. When authentication is enabled and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer derive the authentication path from properties.getPath() if camel.server.authenticationPath or camel.management.authenticationPath is not explicitly set. Due to the Vert.x sub-router mounting model, the sub-router is mounted at the configured path while the authentication handler is registered inside that sub-router at the resolved path, causing the handler to match only the exact configured context path rather than subpaths beneath it. As a result, unauthenticated requests to subpaths such as /api/route or /admin/observe/info can reach protected business routes and management endpoints without being challenged for credentials.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote unauthenticated access to endpoints that administrators intended to protect with Basic or JWT authentication. This can expose protected business routes and management interfaces. In particular, the /observe/info endpoint may disclose runtime metadata including the running user, working directory, home directory, process ID, JVM details, and operating system information. Depending on the deployed routes and management capabilities exposed under the affected non-root path, impact may extend beyond information disclosure to unauthorized invocation of application functionality.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid the vulnerable configuration by explicitly setting camel.server.authenticationPath or camel.management.authenticationPath so authentication is applied to the intended paths, and restrict external access to embedded HTTP and management endpoints through network controls or reverse-proxy enforcement. Particular attention should be given to deployments using non-root context paths such as /api or /admin with authentication enabled.

Remediation

Patch, then assume compromise.

Upgrade to a fixed Apache Camel release. Apache recommends upgrading to 4.20.0. For users remaining on supported LTS branches, upgrade 4.14.x deployments to 4.14.6 or later and 4.18.x deployments to 4.18.2 or later.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Apache Software FoundationCamelapplication

Apache Software FoundationCamel-Platform-Http-Mainapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

camel apacheNews

Jan 1, 2026

Apache Camel Security Advisory - CVE-2026-40022 - Apache Camel

An authentication bypass vulnerability in Apache Camel's camel-platform-http-main component when authentication is enabled and a non-root context path is configured, allowing unauthenticated access to protected subpaths and exposure of runtime metadata.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-40022

NVD

nvd.nist.gov/vuln/detail/CVE-2026-40022

MITRE CWE · CWE-288

Authentication Bypass Using an Alternate Path…

Vendor Advisory

camel.apache.org/security/CVE-2026-40022.html

Third Party Advisory

openwall.com/lists/oss-security/2026/04/26/5