Quarkus CVE-2026-39852
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/quarkusio/quarkus).
CVSS VectorVendor: https://github.com/quarkusio/quarkus
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6Blast Radius
ecosystem impact- 230 maven packages depend on io.quarkus:quarkus-vertx-http (38 direct, 192 indirect)
Ecosystem-wide dependent count for version 3.21.0.
DescriptionCVE.org
Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.
Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus's security layer performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This allows requests like /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.
Impact
This issue may lead to Authentication/Authorization bypasses.
Credits
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
AnalysisAI
Authorization bypass in Quarkus allows remote unauthenticated attackers to access protected HTTP endpoints by appending semicolons (matrix parameters) to request URLs. Quarkus version 3.32.4 and multiple other branches are affected due to a path-normalization inconsistency between the security layer (which checks raw paths preserving matrix parameters) and RESTEasy Reactive routing (which strips them). Attackers can send requests like '/api/admin;anything' to bypass policies protecting '/api/admin' while still routing to the protected endpoint. Vendor-released patches available across four version branches (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1). No public exploit identified at time of analysis, but the attack technique is straightforward given the detailed GitHub Security Lab advisory (GHSA-rc95-pcm8-65v9).
Technical ContextAI
This vulnerability exploits HTTP matrix parameters, a URI convention (RFC 3986) where semicolons separate path parameters from the path segment. The affected component is io.quarkus:quarkus-vertx-http, which bridges Quarkus's security framework with the Vert.x HTTP server. The root cause (CWE-287: Improper Authentication) stems from inconsistent URL normalization across two architectural layers: Quarkus's declarative security layer performs authorization checks against raw request paths including matrix parameters, while RESTEasy Reactive's endpoint routing strips matrix parameters before matching resources. This normalization mismatch creates a classic security-layer bypass where '/api/admin;x' passes authorization checks as a non-matching path but then routes to '/api/admin' after parameter removal. The vulnerability affects applications using HTTP path-based authorization policies (annotations like @RolesAllowed on JAX-RS endpoints or Quarkus security configuration for URL patterns). This is a framework-level flaw requiring no application-specific misconfiguration to be exploitable.
RemediationAI
Upgrade io.quarkus:quarkus-vertx-http to patched versions based on your current branch: 3.20.6.1 for 3.20.x users, 3.27.3.1 for 3.21-3.27 users, 3.33.1.1 for 3.30-3.33 users, or 3.35.1.1 for 3.34-3.35 users. Update your pom.xml or build.gradle dependency declarations and rebuild applications. Full remediation details in vendor advisory at https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9. If immediate patching is not feasible, implement compensating controls at the reverse proxy or API gateway layer: configure explicit URL rewriting rules to reject requests containing semicolons in paths before they reach Quarkus (trade-off: breaks legitimate use of matrix parameters if your application relies on them), or deploy Web Application Firewall rules to block semicolon-containing URIs targeting protected paths (trade-off: requires maintaining synchronized path lists between WAF and application security policies). For applications not using path-based authorization (those relying solely on method-level security annotations without path constraints), risk is significantly lower but patching remains recommended to eliminate the architectural inconsistency. Verify patch effectiveness by testing that requests like '/admin;test' are properly rejected post-upgrade.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-rc95-pcm8-65v9