Skip to main content

Quarkus CVE-2026-39852

HIGH
Improper Authentication (CWE-287)
2026-05-04 https://github.com/quarkusio/quarkus GHSA-rc95-pcm8-65v9
Authentication Bypass Red Hat
8.8
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
May 05, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 21:22 NVD
8.2 (HIGH) 8.8 (HIGH)
Source Code Evidence Fetched
May 04, 2026 - 18:01 vuln.today
Analysis Generated
May 04, 2026 - 18:01 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:20 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 230 maven packages depend on io.quarkus:quarkus-vertx-http (38 direct, 192 indirect)

Ecosystem-wide dependent count for version 3.21.0.

DescriptionNVD

Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.

Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus's security layer performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This allows requests like /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.

Impact

This issue may lead to Authentication/Authorization bypasses.

Credits

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

AnalysisAI

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all Quarkus deployments and their versions (check for 3.20.x, 3.27.x, 3.32.x, 3.33.x, 3.35.x branches). Within 7 days: Apply vendor-released patches immediately-upgrade to Quarkus 3.20.6.1, 3.27.3.1, 3.33.1.1, or 3.35.1.1 depending on your current branch. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

More from same product – last 7 days

CVE-2026-9277 HIGH
8.1 May 22

Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
CVE-2026-9256 HIGH
8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

Share

CVE-2026-39852 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy