From f752283c086c02357357d45f9fd892a3482be8b6 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Mon, 30 Oct 2023 11:47:45 -0400
Subject: [PATCH] backport of commit 26bae559979bb6cc9f086d26f9c6450aa5173e95
 (#23900)

Co-authored-by: Hamid Ghaf <83242695+hghaf099@users.noreply.github.com>
---
 changelog/23802.txt     | 3 +++
 vault/logical_system.go | 7 ++++++-
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 changelog/23802.txt

diff --git a/changelog/23802.txt b/changelog/23802.txt
new file mode 100644
index 000000000..49caebc4f
--- /dev/null
+++ b/changelog/23802.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+core/mounts: Fix reading an "auth" mount using "sys/internal/ui/mounts/" when filter paths are enforced returns 500 error code from the secondary
+```
diff --git a/vault/logical_system.go b/vault/logical_system.go
index 640ce1b30..b4b6dff75 100644
--- a/vault/logical_system.go
+++ b/vault/logical_system.go
@@ -4328,7 +4328,12 @@ func (b *SystemBackend) pathInternalUIMountRead(ctx context.Context, req *logica
 		return errResp, logical.ErrPermissionDenied
 	}
 
-	filtered, err := b.Core.checkReplicatedFiltering(ctx, me, "")
+	var routerPrefix string
+	if strings.HasPrefix(me.APIPathNoNamespace(), credentialRoutePrefix) {
+		routerPrefix = credentialRoutePrefix
+	}
+
+	filtered, err := b.Core.checkReplicatedFiltering(ctx, me, routerPrefix)
 	if err != nil {
 		return nil, err
 	}