CVE-2026-40022
CVE-2026-40022 is a high-severity vulnerability in Apache Camel with a CVSS 3.x base score of 8.2. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-288.
Key facts
- Severity: High (CVSS 3.x base score 8.2)
- EPSS exploit prediction: 1% (45th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-25807
- Weakness: CWE-288
- Affected product: Apache Camel
- Published:
- Last modified:
Description
When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.
Frequently asked questions
- What is CVE-2026-40022?
- When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model - the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path - this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2.
- How severe is CVE-2026-40022?
- CVE-2026-40022 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
- Is CVE-2026-40022 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (45th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-40022?
- CVE-2026-40022 affects Apache Camel. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-40022?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- Does CVE-2026-40022 have an EU (EUVD) identifier?
- Yes. CVE-2026-40022 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-25807.
- When was CVE-2026-40022 published?
- CVE-2026-40022 was published on 2026-04-27 and last updated on 2026-06-30.
References
- https://camel.apache.org/security/CVE-2026-40022.html
- http://www.openwall.com/lists/oss-security/2026/04/26/5
- https://access.redhat.com/errata/RHSA-2026:17668
- https://access.redhat.com/security/cve/CVE-2026-40022
- https://bugzilla.redhat.com/show_bug.cgi?id=2463178
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-40022.json
Affected products (1)
- cpe:2.3:a:apache:camel:*:*:*:*:*:*:*:*
More vulnerabilities in Apache Camel
- CVE-2026-33453 — Critical (CVSS 10.0): Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap…
- CVE-2026-40453 — Critical (CVSS 9.9): The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such…
- CVE-2026-48204 — Critical (CVSS 9.8): Improper Input Validation, Improper Access Control vulnerability in Apache Camel in Camel Mongodb Gridfs…
- CVE-2026-46456 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache Camel AWS2-SQS Component. The camel-aws2-sqs component map inbound…
- CVE-2026-46455 — Critical (CVSS 9.8): Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper…
- CVE-2026-46454 — Critical (CVSS 9.8): Improper Input Validation vulnerability in Apache Camel Cometd Component. The camel-cometd component maps inbound…
All CVEs affecting Apache Camel →
Other CWE-288 vulnerabilities
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-20079 — Critical (CVSS 10.0): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an…
- CVE-2024-10081 — Critical (CVSS 10.0): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.…
- CVE-2024-2973 — Critical (CVSS 10.0): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or…