Skip to main content

Quarkus CVE-2026-39852

HIGH
Improper Authentication (CWE-287)
2026-05-04 https://github.com/quarkusio/quarkus GHSA-rc95-pcm8-65v9
8.8
CVSS 4.0 · Vendor: https://github.com/quarkusio/quarkus
Share

Severity by source

Vendor (https://github.com/quarkusio/quarkus) PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Red Hat
8.2 HIGH
qualitative

Primary rating from Vendor (https://github.com/quarkusio/quarkus).

CVSS VectorVendor: https://github.com/quarkusio/quarkus

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
May 05, 2026 - 21:22 vuln.today
cvss_changed
CVSS changed
May 05, 2026 - 21:22 NVD
8.2 (HIGH) 8.8 (HIGH)
Source Code Evidence Fetched
May 04, 2026 - 18:01 vuln.today
Analysis Generated
May 04, 2026 - 18:01 vuln.today
Analysis Generated
May 04, 2026 - 17:45 vuln.today
CVE Published
May 04, 2026 - 17:20 nvd
HIGH 8.2

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 230 maven packages depend on io.quarkus:quarkus-vertx-http (38 direct, 192 indirect)

Ecosystem-wide dependent count for version 3.21.0.

DescriptionCVE.org

Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.

Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus's security layer performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This allows requests like /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.

Impact

This issue may lead to Authentication/Authorization bypasses.

Credits

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

AnalysisAI

Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).

Technical ContextAI

This vulnerability exploits HTTP matrix parameters, a URI convention (RFC 3986) where semicolons separate path parameters from the path segment. The affected component is io.quarkus:quarkus-vertx-http, which bridges Quarkus's security framework with the Vert.x HTTP server. The root cause (CWE-287: Improper Authentication) stems from inconsistent URL normalization across two architectural layers: Quarkus's declarative security layer performs authorization checks against raw request paths including matrix parameters, while RESTEasy Reactive's endpoint routing strips matrix parameters before matching resources. This normalization mismatch creates a classic security-layer bypass where '/api/admin;x' passes authorization checks as a non-matching path but then routes to '/api/admin' after parameter removal. The vulnerability affects applications using HTTP path-based authorization policies (annotations like @RolesAllowed on JAX-RS endpoints or Quarkus security configuration for URL patterns). This is a framework-level flaw requiring no application-specific misconfiguration to be exploitable.

RemediationAI

Upgrade io.quarkus:quarkus-vertx-http to patched versions based on your current branch: 3.20.6.1 for 3.20.x users, 3.27.3.1 for 3.21-3.27 users, 3.33.1.1 for 3.30-3.33 users, or 3.35.1.1 for 3.34-3.35 users. Update your pom.xml or build.gradle dependency declarations and rebuild applications. Full remediation details in vendor advisory at https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9. If immediate patching is not feasible, implement compensating controls at the reverse proxy or API gateway layer: configure explicit URL rewriting rules to reject requests containing semicolons in paths before they reach Quarkus (trade-off: breaks legitimate use of matrix parameters if your application relies on them), or deploy Web Application Firewall rules to block semicolon-containing URIs targeting protected paths (trade-off: requires maintaining synchronized path lists between WAF and application security policies). For applications not using path-based authorization (those relying solely on method-level security annotations without path constraints), risk is significantly lower but patching remains recommended to eliminate the architectural inconsistency. Verify patch effectiveness by testing that requests like '/admin;test' are properly rejected post-upgrade.

Vendor StatusVendor

Share

CVE-2026-39852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy