There is missing null check in io.undertow.security.impl.SecurityContextImpl.ChallengeSender.transition() method. Method mechanism.sendChallenge can return null (interface AuthenticationMechanism can have various implementations) which leads to NPE for calling some method on its result without null check. See [1].

There should be null checker in SecurityContextImpl.ChallengeSender.transition() method or documentation of io.undertow.security.api.AuthenticationMechanism.sendChallenge should explicitly say that this method must not return null.

[1] https://github.com/undertow-io/undertow/blob/43ff6d15b2054ac659d469165d508b7ddb954ff3/core/src/main/java/io/undertow/security/impl/SecurityContextImpl.java#L298