diff --git a/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java b/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
index 0d73ba2fa26..0980d07f3cf 100644
--- a/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
+++ b/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
@@ -50,7 +50,9 @@ public class UnsecuredResourceFilter implements Filter
         new AuthenticationResult(
             AuthConfig.ALLOW_ALL_NAME,
             AuthConfig.ALLOW_ALL_NAME,
-            AuthConfig.ALLOW_ALL_NAME,
+            // adding null so that the router doesn't try to decorate the request. It is ok since we're already bypassing
+            // authentication for unsecure paths.
+            null,
             null
         )
     );