# Apache Camel Security Advisory: CVE-2026-40022 ## Vulnerability Overview - **Severity**: Medium (MEDIUM) - **Summary**: An authentication bypass vulnerability exists in Apache Camel-Platform-HTTP-Main. When the embedded HTTP server or embedded management server is enabled in the Camel Main runtime, and a non-root context path (such as `/api` or `/admin`) is configured, the `BasicAuthenticationConfigurer` and `JWTAuthenticationConfigurer` classes derive the authentication path from `properties.getPath()` if `camel.server.authenticationPath` is not explicitly set. - **Technical Details**: Combined with Vert.x's sub-router mounting model (where sub-routers are mounted under `_path_*`), the authentication handler is registered inside the sub-router that resolves the path. This causes the authentication handler to match only the configured context path, not its sub-paths. Consequently, unauthenticated requests to sub-paths such as `/api/_route_` or `/admin/observe/info` can reach protected business routes and management endpoints without a credential challenge. The `/observe/info` endpoint may leak runtime metadata, including user, working directory, home directory, process ID, JVM, and operating system information. ## Affected Versions - **Affected Versions**: - From 4.14.1 to 4.14.6 - From 4.15.0 to 4.18.2 - **Fixed Versions**: - 4.14.6 - 4.18.2 - 4.20.0 ## Remediation - **Mitigation**: - Users are advised to upgrade to version **4.20.0**, which fixes this issue. - If users are on the 4.14.x LTS release stream, it is recommended to upgrade to **4.14.6**. - If users are on the 4.18.x LTS release stream, it is recommended to upgrade to **4.18.2**. ## Additional Information - **Discoverer**: Jihang Yu - **References**: - PGP-signed advisory data: [CVE-2026-40022.txt.asc](https://www.apache.org/dist/camel/SECURITY/CVE-2026-40022.txt.asc) - Mitre CVE entry: [CVE-2026-40022](https://www.cve.org/CVERecord?id=CVE-2026-40022)