CVE-2026-40022
Authentication Bypass in Apache Camel HTTP Server Exposes Sensitive Data
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | camel | From 4.15.0 (inc) to 4.18.2 (exc) |
| apache | camel | From 4.14.1 (inc) to 4.14.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40022 is an authentication bypass vulnerability in Apache Camel's embedded HTTP server and management server components, specifically in the camel-platform-http-main module.
When authentication is enabled and a non-root context path such as /api or /admin is configured without explicitly setting the authentication path, the authentication handler only matches the exact configured context path but not its subpaths.
This means unauthenticated requests to subpaths like /api/_route_ or /admin/observe/info can bypass authentication and access protected business routes and management endpoints.
The /observe/info endpoint can disclose sensitive runtime metadata including user information, working directory, home directory, process ID, JVM details, and operating system information.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated users to bypass authentication controls and access protected business routes and management endpoints.
Sensitive runtime metadata such as user details, working directory, home directory, process ID, JVM, and operating system information can be exposed through endpoints like /admin/observe/info.
Such unauthorized access can lead to information disclosure and potentially facilitate further attacks or exploitation of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, users are advised to upgrade Apache Camel to a fixed version.
- Upgrade to version 4.20.0 if possible.
- If using the 4.14.x LTS stream, upgrade to 4.14.6.
- If using the 4.18.x LTS stream, upgrade to 4.18.2.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated access to protected business routes and management endpoints, including the /observe/info endpoint which can disclose sensitive runtime metadata such as user information, working directory, home directory, process ID, JVM, and operating system details.
Such unauthorized disclosure of sensitive information could potentially lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and mandate proper authentication and access controls.
Therefore, the vulnerability poses a risk to compliance by enabling unauthorized access and exposure of sensitive system and user-related information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing whether unauthenticated requests to subpaths of configured non-root context paths bypass authentication. Specifically, sending HTTP requests to subpaths such as /api/_route_ or /admin/observe/info and checking if these requests are accepted without credentials indicates the presence of the vulnerability.
For detection, you can use command-line tools like curl to send requests to these subpaths and observe if authentication is enforced.
- curl -i http://<server_address>/api/_route_
- curl -i http://<server_address>/admin/observe/info
If these requests return sensitive information or do not prompt for authentication, the system is vulnerable.