PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40022 Apache CVE debrief

CVE-2026-40022 is a high-severity authentication bypass vulnerability in Apache Camel, a popular open-source integration framework. The issue arises when authentication is enabled on the Apache Camel embedded HTTP server or embedded management server, and a non-root context path is configured. In such cases, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. This causes the authentication handler to match only the exact configured context path, not its subpaths. As a result, unauthenticated requests to subpaths can reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM, and operating system information. This vulnerability affects Apache Camel versions from 4.14.1 before 4.14.6 and from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.

Vendor
Apache
Product
Camel
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-27
Original CVE updated
2026-06-30
Advisory published
2026-04-27
Advisory updated
2026-06-30

Who should care

Security teams and administrators responsible for Apache Camel deployments should be aware of this vulnerability. Apache Camel is widely used in enterprise environments for integrating various systems and applications. The vulnerability's high severity and potential for unauthorized access make it a priority for organizations using affected versions of Apache Camel. Additionally, teams responsible for monitoring and incident response should be prepared to detect and respond to potential exploitation attempts.

Technical summary

The CVE-2026-40022 vulnerability is caused by the way Apache Camel handles authentication for non-root context paths. When authentication is enabled, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() if camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. This leads to the authentication handler only matching the exact configured context path and not its subpaths. As a result, unauthenticated requests to subpaths can bypass authentication and reach protected routes and endpoints. The vulnerability has a CVSS score of 8.2 and is classified as HIGH severity. It affects Apache Camel versions 4.14.1 to 4.14.5 and 4.18.0 to 4.18.1.

Defensive priority

This vulnerability should be prioritized for immediate attention due to its high severity and potential impact. Organizations using affected versions of Apache Camel should upgrade to the recommended versions as soon as possible. In the meantime, defenders can implement additional monitoring and authentication checks to mitigate the risk.

Recommended defensive actions

  • Upgrade Apache Camel to version 4.20.0 or later
  • If using 4.14.x LTS releases, upgrade to 4.14.6
  • If using 4.18.x LTS releases, upgrade to 4.18.2
  • Implement additional monitoring for suspicious requests to Apache Camel endpoints
  • Review and update authentication configurations for Apache Camel deployments

Evidence notes

The CVE-2026-40022 vulnerability was publicly disclosed on April 27, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple versions of Apache Camel and has a high CVSS score of 8.2. The Apache Camel project has provided advisories and recommended upgrades to address this issue. Multiple sources, including NVD and Red Hat, have documented this vulnerability and provided additional information.

Official resources

This AI-assisted debrief is based on the supplied source corpus and provides an overview of CVE-2026-40022. The information provided is for educational purposes only and should not be used for malicious activities.