CVE-2026-40022 VARIANT reproduction summary Artifact: org.apache.camel:camel-platform-http-main Vulnerable: 4.14.5 Fixed: 4.14.6 Route: platform-http:/hello (served at /api/hello); mgmt info at /admin/observe/info ---- Vulnerable (4.14.5) ---- business default (no authPath) /api/hello no creds : HTTP 200 business explicit authPath=/api /api/hello no creds : HTTP 200 mgmt default (no mgmt authPath) /admin/observe/info : HTTP 200 mgmt explicit authPath=/admin /admin/observe/info : HTTP 200 ---- Fixed (4.14.6) ---- business default (no authPath) /api/hello no creds : HTTP 401 (CVE fix: should be 401) business explicit authPath=/api /api/hello no creds : HTTP 200 (BYPASS if 200) mgmt default (no mgmt authPath) /admin/observe/info : HTTP 401 (CVE fix: should be 401) mgmt explicit authPath=/admin /admin/observe/info : HTTP 200 (BYPASS if 200) VERDICT: BYPASS CONFIRMED on fixed 4.14.6 -- explicit authenticationPath set to the context prefix (/api, /admin) leaves subpaths unauthenticated (200) on the PATCHED build, while the default is correctly fixed (401).