CVE-2026-40022 reproduction summary Artifact: org.apache.camel:camel-platform-http-main Vulnerable version: 4.14.5 Fixed version: 4.14.6 Config: camel.server.path=/api, camel.server.authenticationEnabled=true, camel.server.basicPropertiesFile=auth.properties, route platform-http:/hello ---- Vulnerable (4.14.5) ---- /api/hello no credentials : HTTP 200 /api/hello with credentials: HTTP 200 ---- Fixed (4.14.6) ---- /api/hello no credentials : HTTP 401 /api/hello with credentials: HTTP 200 VERDICT: CONFIRMED - unauthenticated subpath access succeeds on vulnerable (200), rejected on fixed (401) with identical config -> authentication bypass.