Cyber Posture

CVE-2026-40022

High

Published: 27 April 2026

Published
27 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0016 36.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication…

more

path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Requires enforcement of approved access authorizations to prevent unauthenticated requests from reaching protected business routes and management endpoints under configured context paths like /api and /admin.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of flaws such as the authentication path derivation bug in Apache Camel that enables bypass via subpaths.

CM-6 Configuration Settings partial match
prevent

Ensures secure configuration settings explicitly define authentication paths to cover subpaths, mitigating reliance on automatic derivation that fails due to Vert.x sub-router behavior.

Security SummaryAI

CVE-2026-40022 is a vulnerability in the Apache Camel embedded HTTP server and embedded management server (camel-platform-http-main) when authentication is enabled via BasicAuthenticationConfigurer or JWTAuthenticationConfigurer and a non-root context path, such as /api or /admin, is configured using camel.server.path or camel.management.path. The issue arises because these configurers derive the authentication path from properties.getPath() if camel.server.authenticationPath or camel.management.authenticationPath is not explicitly set. Due to Vert.x's sub-router mounting model, where the sub-router mounts at the path prefix and the authentication handler registers at the exact resolved path, authentication only applies to the precise context path and not its subpaths. This allows unauthenticated access to protected business routes and management endpoints under those subpaths, such as /api/_route_ or /admin/observe/info. The vulnerability affects Apache Camel versions from 4.14.1 before 4.14.6 and from 4.18.0 before 4.18.2, with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-288 (Authentication Bypass Using an Alternate Path or Channel).

Any unauthenticated attacker with network access to the affected Apache Camel server can exploit this vulnerability by crafting HTTP requests to unprotected subpaths under the configured context paths. For instance, requests to /admin/observe/info bypass authentication entirely, enabling attackers to retrieve sensitive runtime metadata including the current user, working directory, home directory, process ID, JVM details, and operating system information. This results in high confidentiality impact through information disclosure and low integrity impact, potentially aiding further reconnaissance or attacks, without requiring privileges, user interaction, or elevated complexity.

The official Apache Camel security advisory at https://camel.apache.org/security/CVE-2026-40022.html and the announcement on the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/04/26/5 recommend upgrading to Apache Camel version 4.20.0 to remediate the issue. Users on the 4.14.x LTS release stream should upgrade to 4.14.6, while those on the 4.18.x LTS stream should upgrade to 4.18.2. No additional workarounds are specified beyond these version updates.

Details

CWE(s)
CWE-288

Affected Products

apache
camel
4.14.1 — 4.14.6 · 4.15.0 — 4.18.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
attack.mitre.org →
T1033 System Owner/User Discovery Discovery
Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of public-facing application (T1190) via authentication bypass (CWE-288), granting unauthenticated access to management endpoints that disclose system information (T1082: OS, JVM, PID, directories) and current user (T1033).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References