--- a/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/MainAuthenticationConfigurer.java
+++ b/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/MainAuthenticationConfigurer.java
@@ -19,6 +19,7 @@
 import org.apache.camel.component.platform.http.vertx.auth.AuthenticationConfig;
 import org.apache.camel.main.HttpManagementServerConfigurationProperties;
 import org.apache.camel.main.HttpServerConfigurationProperties;
+import org.apache.camel.util.ObjectHelper;
 
 /**
  * Configure authentication on the embedded HTTP server.
@@ -30,4 +31,43 @@
     void configureAuthentication(
             AuthenticationConfig authenticationConfig, HttpManagementServerConfigurationProperties properties);
 
+    /**
+     * Resolves the effective authentication path that is registered on the Vert.x sub-router which hosts the
+     * platform-http routes. Because that sub-router is mounted under the configured context path, route matching
+     * inside it is performed <i>relative</i> to that context path.
+     * <p>
+     * When no explicit {@code authenticationPath} is configured, the authentication handler is registered at
+     * {@code /*} so that every subpath under the context path is protected (CVE-2026-40022).
+     * <p>
+     * When an explicit {@code authenticationPath} is configured it is interpreted relative to the context path. If
+     * the value equals (or starts with) the context path it is normalized back to a relative form, and a value that
+     * resolves to the whole context (e.g. {@code /api}, {@code /api/*} with context {@code /api}, or {@code /}) is
+     * widened to {@code /*} so that "protect the context" actually protects all of its subpaths. A genuine relative
+     * sub-path such as {@code /secure/*} is preserved unchanged for selective protection.
+     *
+     * @param authenticationPath the explicitly configured authentication path, may be {@code null}/empty
+     * @param contextPath        the configured server/management context path, may be {@code null}/empty
+     * @return the effective authentication path to register on the sub-router
+     */
+    default String resolveAuthenticationPath(String authenticationPath, String contextPath) {
+        if (ObjectHelper.isNotEmpty(authenticationPath)) {
+            String path = authenticationPath;
+            // The authentication handler is registered on the sub-router, which matches paths relative to the
+            // configured context path. Strip the context prefix from an explicit value that includes it so that a
+            // doc-encouraged configuration such as authenticationPath=/api (with camel.server.path=/api) protects
+            // the real subpaths instead of only the non-existent /api/api.
+            if (ObjectHelper.isNotEmpty(contextPath) && !"/".equals(contextPath)
+                    && (path.equals(contextPath) || path.startsWith(contextPath + "/"))) {
+                path = path.substring(contextPath.length());
+            }
+            // An empty or root-relative remainder means "protect the whole context" -> widen to /* .
+            if (ObjectHelper.isEmpty(path) || "/".equals(path)) {
+                path = "/*";
+            }
+            return path;
+        }
+        // No explicit authentication path: protect every subpath under the context path.
+        return "/*";
+    }
+
 }
--- a/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/BasicAuthenticationConfigurer.java
+++ b/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/BasicAuthenticationConfigurer.java
@@ -23,8 +23,6 @@
 import org.apache.camel.main.HttpManagementServerConfigurationProperties;
 import org.apache.camel.main.HttpServerConfigurationProperties;
 
-import static org.apache.camel.util.ObjectHelper.isNotEmpty;
-
 public class BasicAuthenticationConfigurer implements MainAuthenticationConfigurer {
 
     @Override
@@ -32,12 +30,7 @@
             AuthenticationConfig authenticationConfig,
             HttpServerConfigurationProperties properties) {
         String authPropertiesFileName = properties.getBasicPropertiesFile();
-        String path
-                = isNotEmpty(properties.getAuthenticationPath()) ? properties.getAuthenticationPath() : properties.getPath();
-        // root means to authenticate everything
-        if ("/".equals(path)) {
-            path = "/*";
-        }
+        String path = resolveAuthenticationPath(properties.getAuthenticationPath(), properties.getPath());
 
         AuthenticationConfigEntry entry = new AuthenticationConfigEntry();
         entry.setPath(path);
@@ -54,12 +47,7 @@
             AuthenticationConfig authenticationConfig,
             HttpManagementServerConfigurationProperties properties) {
         String authPropertiesFileName = properties.getBasicPropertiesFile();
-        String path
-                = isNotEmpty(properties.getAuthenticationPath()) ? properties.getAuthenticationPath() : properties.getPath();
-        // root means to authenticate everything
-        if ("/".equals(path)) {
-            path = "/*";
-        }
+        String path = resolveAuthenticationPath(properties.getAuthenticationPath(), properties.getPath());
 
         AuthenticationConfigEntry entry = new AuthenticationConfigEntry();
         entry.setPath(path);
--- a/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/JWTAuthenticationConfigurer.java
+++ b/components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/JWTAuthenticationConfigurer.java
@@ -28,8 +28,6 @@
 import org.apache.camel.main.HttpManagementServerConfigurationProperties;
 import org.apache.camel.main.HttpServerConfigurationProperties;
 
-import static org.apache.camel.util.ObjectHelper.isNotEmpty;
-
 public class JWTAuthenticationConfigurer implements MainAuthenticationConfigurer {
 
     @Override
@@ -37,12 +35,7 @@
             AuthenticationConfig authenticationConfig,
             HttpServerConfigurationProperties properties) {
 
-        String path
-                = isNotEmpty(properties.getAuthenticationPath()) ? properties.getAuthenticationPath() : properties.getPath();
-        // root means to authenticate everything
-        if ("/".equals(path)) {
-            path = "/*";
-        }
+        String path = resolveAuthenticationPath(properties.getAuthenticationPath(), properties.getPath());
 
         AuthenticationConfigEntry entry = new AuthenticationConfigEntry();
         entry.setPath(path);
@@ -71,12 +64,7 @@
             AuthenticationConfig authenticationConfig,
             HttpManagementServerConfigurationProperties properties) {
 
-        String path
-                = isNotEmpty(properties.getAuthenticationPath()) ? properties.getAuthenticationPath() : properties.getPath();
-        // root means to authenticate everything
-        if ("/".equals(path)) {
-            path = "/*";
-        }
+        String path = resolveAuthenticationPath(properties.getAuthenticationPath(), properties.getPath());
 
         AuthenticationConfigEntry entry = new AuthenticationConfigEntry();
         entry.setPath(path);
