{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "variant_result": "confirmed",
  "bypass_on_fixed_version": true,
  "validated_surface": "api_remote",
  "evidence_scope": "production_path",
  "claimed_impact_class": "authz_bypass",
  "observed_impact_class": "authz_bypass",
  "secondary_observed_impact_class": "information_disclosure",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "unauthenticated HTTP GET to /api/hello (business route) and /admin/observe/info (management) on the patched embedded Camel server when an explicit authenticationPath is set to the context prefix",
  "trigger_path": "camel-platform-http-main 4.14.6 (patched): camel.server.path=/api + camel.server.authenticationPath=/api (explicit, doc-encouraged) -> resolveAuthenticationPath returns /api verbatim -> subRouter.route('/api') registered relative to the /api* sub-router mount -> matches only /api/api, not /api/hello -> unauthenticated GET /api/hello returns 200. Same for management: camel.management.path=/admin + camel.management.authenticationPath=/admin -> /admin/observe/info leaks runtime metadata.",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": false,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": null,
  "inferred": false,
  "tested_versions": {
    "vulnerable": "4.14.5",
    "fixed": "4.14.6"
  },
  "results_matrix": {
    "vulnerable_4.14.5": {
      "business_default_no_creds": "200",
      "business_explicit_authpath_api_no_creds": "200",
      "management_default_no_creds": "200",
      "management_explicit_authpath_admin_no_creds": "200"
    },
    "fixed_4.14.6": {
      "business_default_no_creds": "401",
      "business_explicit_authpath_api_no_creds": "200",
      "management_default_no_creds": "401",
      "management_explicit_authpath_admin_no_creds": "200",
      "all_with_creds": "200"
    }
  },
  "verdict_logic": "Bypass confirmed on the FIXED 4.14.6 because (a) the default case is correctly fixed (business default 401, management default 401 -- authentication is genuinely enabled and routes are healthy, with-creds always 200), while (b) the explicit-authenticationPath-equals-context-prefix case still returns 200 without credentials on the same patched build for BOTH the business route (/api/hello) and the management info endpoint (/admin/observe/info, with runtime-metadata disclosure). The fix changed only the default-resolution branch; the explicit-prefix data path is identical on 4.14.5 and 4.14.6 and remains open.",
  "scope_honesty_note": "Camel's CVE-2026-40022 advisory scopes the original bug to the 'authenticationPath not explicitly set' case, which the fix correctly closes. This variant is therefore best characterized as an incomplete fix + documentation footgun: the same auth-bypass sink is reachable on the patched build via a doc-encouraged explicit authenticationPath value. The fix's BasicAuthenticationSelectivePathTest blesses relative selective protection (/secure/*) as by-design; the untested context-prefix case (/api, /admin) is the gap a complete fix must close.",
  "exit_code": 0
}
