CVE-2026-40022

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.14.1 through 4.14.5 Apache Camel versions 4.18.0 through 4.18.1

Description When authentication is enabled on the embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path (e.g., "/api" or "/admin") is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() if camel.server.authenticationPath or camel.management.authenticationPath is not explicitly set. Due to the Vert.x sub-router mounting model, the authentication handler only matches the exact configured context path rather than its subpaths. Consequently, unauthenticated requests to subpaths, such as "/api/ route " or "/admin/observe/info", can access protected business routes and management endpoints without credentials. The "/observe/info" endpoint may disclose runtime metadata, including the user, working directory, home directory, process ID, JVM, and operating system information.

Recommendations Upgrade to version 4.14.6 for those on the 4.14.x LTS releases stream. Upgrade to version 4.18.2 for those on the 4.18.x LTS releases stream. Upgrade to version 4.20.0.