{
  "parent_claim_id": "CVE-2026-40022",
  "variant_id": "cve-2026-40022-camel-platform-http-main-explicit-authpath-bypass",
  "same_root_cause": true,
  "same_sink": true,
  "same_trust_boundary": true,
  "equivalence_confidence": "high",
  "parent_root_cause": "When camel.server.path / camel.management.path is a non-root context path and authenticationPath is NOT explicitly set, BasicAuthenticationConfigurer/JWTAuthenticationConfigurer resolve the auth path to properties.getPath() (the context path) and register it on the Vert.x sub-router. Because Route.subRouter() matches relative to the consumed context prefix, an auth handler registered at the exact context path (e.g. /api) never matches the real relative subpaths (e.g. /hello), so unauthenticated requests to /api/hello reach protected routes without being challenged.",
  "variant_root_cause": "Same mechanism, different data path: when authenticationPath IS explicitly set to the context prefix (e.g. /api or /admin) -- a configuration the property Javadoc encourages -- the patched resolveAuthenticationPath returns it verbatim (ignoring contextPath) and it is registered on the sub-router at subRouter.route(entry.getPath()), again relative to the consumed context prefix. /api registered relative matches only /api/api, not /api/hello; /admin matches only /admin/admin, not /admin/observe/info. Unauthenticated subpath requests still bypass auth on the patched build.",
  "shared_sink": "VertxPlatformHttpServer.addAuthenticationHandlersStartingFromMoreSpecificPaths -> subRouter.route(entry.getPath()).handler(entry.createAuthenticationHandler(vertx)), combined with router.route(configuration.getPath() + '*').subRouter(subRouter). The auth handler path is matched relative to the consumed context prefix; any entry.getPath() that equals or starts with the context prefix fails to match the real subpaths.",
  "shared_sink_location": "components/camel-platform-http-vertx/src/main/java/org/apache/camel/component/platform/http/vertx/VertxPlatformHttpServer.java:332-337 (registration) and :200 (sub-router mount)",
  "fix_changed_root_cause": "Partially. The fix (commit a9ebee94af97) eliminates the parent root cause ONLY for the unset/default branch by defaulting resolveAuthenticationPath to '/*'. It does NOT change the explicit-authenticationPath branch (returns the value verbatim) and does not normalize an explicit value against the context path, so the same sink remains reachable via an explicit authenticationPath equal to the context prefix. The contextPath argument to resolveAuthenticationPath is dead code.",
  "what_a_complete_fix_must_do": [
    "Normalize an explicit authenticationPath that equals or starts with contextPath (strip the prefix; widen an empty/root remainder to /*), using the currently-dead contextPath argument.",
    "Emit a startup warning when an explicit authenticationPath does not cover any registered subpath (e.g. equals the context prefix without a wildcard).",
    "Clarify the Javadoc for setAuthenticationPath (server + management): the path is relative to the context path, a wildcard is required to protect subpaths, and unset = protect everything under the context.",
    "Add a regression test: camel.server.path=/api + camel.server.authenticationPath=/api must yield 401 for /api/hello; the management equivalent for /admin/observe/info."
  ],
  "distinct_from_parent": "The parent CVE is triggered by the DEFAULT (unset authenticationPath). This variant is triggered by an EXPLICIT authenticationPath equal to the context prefix -- a materially different operator-controlled data path that the fix's default-resolution change does not touch, and that the user-facing documentation actively encourages."
}
