Skip to main content

Quarkus CVE-2026-50559

| EUVD-2026-38084 HIGH
Improper Authentication (CWE-287)
2026-06-19 GitHub_M
Authentication Bypass Java Quarkus
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.5 HIGH

Remote unauthenticated HTTP request with no user interaction; bypass exposes protected resources (C:H) but the advisory describes read access only, so I:N/A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 19, 2026 - 23:17 EUVD
Analysis Generated
Jun 19, 2026 - 20:47 vuln.today

DescriptionCVE.org

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Articles & Coverage 1

News 3 New Java Vulnerabilities - 3 High Severity, No POC Available Jun 19, 2026

AnalysisAI

Authentication bypass in Quarkus Java framework allows remote unauthenticated attackers to circumvent HTTP path-based authorization policies by smuggling encoded semicolons (%3B) as matrix parameters or by using encoded slashes (%2F) and backslashes (%5C) to reach protected static resources. Affects all Quarkus versions prior to the 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 patch line. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Internet-exposed Quarkus app
Delivery
Enumerate protected paths and static roots
Exploit
Craft URL with %3B matrix-param or %2F/%5C encoded separators
Execution
Send unauthenticated HTTP request
Persist
Bypass path-based auth policy
Impact
Read protected endpoint or static resource
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Target must be running an unpatched Quarkus version (any release before the 3.37.0/3.36.3/3.33.2.1/3.33.3/3.27.4.1/3.27.5/3.20.6.2 fix line) that enforces access control via Quarkus HTTP path-based authorization policies (quarkus.http.auth.permission.*) rather than method-level annotations, OR exposes protected static resources through the built-in static handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 7.5 and is internally consistent: network-reachable, no privileges, no user interaction, with confidentiality loss when protected endpoints or static assets are exposed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends an HTTP request to a Quarkus application such as GET /admin%3Bfoo=bar/users or GET /public%2F..%2Fadmin/config, where the encoded semicolon or slash causes the path-based authorization policy to match a permitted prefix while the router dispatches to the protected admin endpoint or static file. Because no authentication is required and the request is a single crafted URL, the technique is trivially scriptable across Internet-exposed Quarkus services. …
Remediation Vendor-released patch: upgrade to Quarkus 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, or 3.20.6.2 - whichever matches your current maintenance line - per GHSA-qcxp-gm7m-4j5v (https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Identify all systems running Quarkus versions prior to 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL
10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran
CVE-2026-55773 HIGH
8.8 Jun 19

Cedar policy injection in CedarJava (com.cedarpolicy:cedar-java) versions below 2.3.6, 3.4.1, and 4.9.0 allows attackers
CVE-2026-55772 HIGH
8.8 Jun 19

Type confusion in CedarJava versions prior to 2.3.6, 3.4.1, and 4.9 allows authenticated remote attackers to manipulate

CVE-2026-44795 HIGH
8.5 Jun 22

Remote code execution in Spinnaker's Orca and Rosco services allows authenticated users to achieve arbitrary Java class

CVE-2026-50196 HIGH
7.5 Jun 17

Denial of service in Steeltoe.Discovery.Eureka client (.NET) versions prior to 4.2.0 and 3.4.0 allows a remote Eureka re

Share

CVE-2026-50559 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy