VYPR
High severity8.2GHSA Advisory· Published May 5, 2026· Updated May 8, 2026

CVE-2026-39852

CVE-2026-39852

Description

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.quarkus:quarkus-vertx-httpMaven
< 3.20.6.13.20.6.1
io.quarkus:quarkus-vertx-httpMaven
>= 3.21.0, < 3.27.3.13.27.3.1
io.quarkus:quarkus-vertx-httpMaven
>= 3.30.0, < 3.33.1.13.33.1.1
io.quarkus:quarkus-vertx-httpMaven
>= 3.34.0, < 3.35.1.13.35.1.1

Affected products

21

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.