{
  "variant_id": "cve-2026-40022-camel-platform-http-main-explicit-authpath-bypass",
  "created_at": "2026-07-07",
  "variant_summary": "On the patched Apache Camel camel-platform-http-main 4.14.6 (fix commit a9ebee94af97), the authentication-bypass sink of CVE-2026-40022 is still reachable: when an operator explicitly sets camel.server.authenticationPath or camel.management.authenticationPath to the context prefix (e.g. /api or /admin) -- a configuration the property Javadoc ('Set HTTP url path ... that is protected') actively encourages -- the value is returned verbatim by MainAuthenticationConfigurer.resolveAuthenticationPath (which ignores its contextPath argument) and registered relative to the Vert.x sub-router, so it matches only /api/api (resp. /admin/admin) and not the real subpaths. Unauthenticated GET /api/hello returns 200 OK on the patched build, and unauthenticated GET /admin/observe/info returns 200 OK leaking runtime metadata (user, user.dir, user.home, pid, JVM/OS). The fix only changed the DEFAULT (unset) branch to /*; the explicit-prefix data path is unchanged from 4.14.5 and remains open on 4.14.6.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "github.com/apache/camel",
  "submitted_target": {
    "target_kind": "release_tag",
    "commit_sha": "cf4dbbcb1c88dbecaa14f3d74d66490aa71f777f",
    "version": "4.14.5",
    "ref": "camel-4.14.5",
    "display": "org.apache.camel:camel-platform-http-main:4.14.5 (camel-4.14.5)"
  },
  "variant_target": {
    "target_kind": "release_tag",
    "commit_sha": "699d9363ab93c54a255afdf97077ee35c3709cd2",
    "version": "4.14.6",
    "ref": "camel-4.14.6",
    "display": "org.apache.camel:camel-platform-http-main:4.14.6 (camel-4.14.6) -- PATCHED, bypass confirmed here"
  },
  "same_root_cause_confidence": "high",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "api_remote",
  "required_entrypoint_kind": "endpoint",
  "required_entrypoint_detail": "Unauthenticated HTTP GET to an embedded Camel platform-http subpath (/api/hello) or management subpath (/admin/observe/info) when camel.server.path / camel.management.path is a non-root context path AND an explicit camel.server.authenticationPath / camel.management.authenticationPath is set to that same context prefix.",
  "attacker_controlled_input": "unauthenticated HTTP request to a subpath under the configured non-root context path (e.g. /api/hello or /admin/observe/info)",
  "trigger_path": "Camel Main embedded HTTP/management server (camel-platform-http-main -> VertxPlatformHttpServer) with a non-root context path and authenticationEnabled=true, plus an explicit authenticationPath equal to the context prefix; the auth handler is registered at subRouter.route(entry.getPath()) relative to the consumed context prefix, so subpaths never match it. Sink: VertxPlatformHttpServer.addAuthenticationHandlersStartingFromMoreSpecificPaths (subRouter.route(entry.getPath()).handler(auth)) + router.route(path+'*').subRouter(subRouter). Gap: MainAuthenticationConfigurer.resolveAuthenticationPath returns explicit authenticationPath verbatim and ignores contextPath.",
  "observed_impact_class": "authz_bypass",
  "exploitability_confidence": "high",
  "evidence_scope": "production_path",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": true,
  "inferred": false,
  "claim_block_reason": null,
  "blocking_mitigation": null,
  "file_path": "components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/MainAuthenticationConfigurer.java",
  "line_start": 38,
  "line_end": 43,
  "secondary_anchors": [
    {
      "file_path": "components/camel-platform-http-vertx/src/main/java/org/apache/camel/component/platform/http/vertx/VertxPlatformHttpServer.java",
      "line_start": 332,
      "line_end": 337
    },
    {
      "file_path": "components/camel-platform-http-vertx/src/main/java/org/apache/camel/component/platform/http/vertx/VertxPlatformHttpServer.java",
      "line_start": 200,
      "line_end": 200
    },
    {
      "file_path": "components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/BasicAuthenticationConfigurer.java",
      "line_start": 30,
      "line_end": 36
    },
    {
      "file_path": "components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/JWTAuthenticationConfigurer.java",
      "line_start": 35,
      "line_end": 41
    },
    {
      "file_path": "components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/ManagementHttpServer.java",
      "line_start": 486,
      "line_end": 540
    }
  ],
  "review_scope_paths": [
    "components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/authentication/",
    "components/camel-platform-http-vertx/src/main/java/org/apache/camel/component/platform/http/vertx/VertxPlatformHttpServer.java",
    "components/camel-platform-http-main/src/main/java/org/apache/camel/component/platform/http/main/ManagementHttpServer.java",
    "components/camel-main/src/main/java/org/apache/camel/main/HttpServerConfigurationProperties.java",
    "components/camel-main/src/main/java/org/apache/camel/main/HttpManagementServerConfigurationProperties.java"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/variant_summary.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  },
  "notes": "Camel's advisory scopes CVE-2026-40022 to the case where authenticationPath is NOT explicitly set; the fix closes that default branch (confirmed: fixed default -> 401). This variant is the explicit-authenticationPath-equals-context-prefix data path, which the fix returns verbatim and does not normalize/warn about; it reproduces on the patched 4.14.6 (business route auth bypass + management /observe/info info disclosure). The fix's own BasicAuthenticationSelectivePathTest blesses relative selective protection (/secure/*) as by-design; the untested, undocumented context-prefix case is the gap. A complete fix should normalize an explicit authenticationPath that equals/starts with the context path (use the currently-dead contextPath argument), warn on startup, and clarify the Javadoc (relative-to-context semantics; unset = protect all)."
}
