Quarkus authorization bypass via semicolon path normalization inconsistency
Summary
| CVE | CVE-2026-39852 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-05 21:16:22 UTC |
| Updated | 2026-07-03 13:17:09 UTC |
| Description | Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. |
Risk And Classification
Primary CVSS: v4.0 8.8 HIGH from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.000410000 probability, percentile 0.125890000 (date 2026-05-12)
Problem Types: CWE-863 | CWE-551 | CWE-863 CWE-863: Incorrect Authorization | CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | DECLARED | 8.8 | HIGH | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| 3.1 | ADP | CVSS | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 8.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Quarkusio | Quarkus | affected < 3.20.6.1 | Not specified |
| CNA | Quarkusio | Quarkus | affected >= 3.27.3.0, < 3.27.3.1 | Not specified |
| CNA | Quarkusio | Quarkus | affected >= 3.34.0, < 3.34.7 | Not specified |
| CNA | Quarkusio | Quarkus | affected >= 3.35.0, < 3.35.2 | Not specified |
| ADP | Red Hat | Cryostat 4 On RHEL 9 | Not specified | Not specified |
| ADP | Red Hat | HawtIO HawtIO 4.4.0 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4.14 For Quarkus 3.27 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.20.6.SP1 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Quarkus 3.27.3.SP1 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 2.9.4 | Not specified | Not specified |
| ADP | Red Hat | OpenShift Serverless | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apache Camel 4 For Quarkus 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 2 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Apicurio Registry 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Debezium 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of OptaPlanner 8 | Not specified | Not specified |
| ADP | Red Hat | Red Hat OpenShift AI RHOAI | Not specified | Not specified |
| ADP | Red Hat | Red Hat Process Automation 7 | Not specified | Not specified |
| ADP | Red Hat | Streams For Apache Kafka 3 | Not specified | Not specified |
| ADP | Red Hat | Red Hat Build Of Keycloak | Not specified | Not specified |
| ADP | Red Hat | Red Hat Fuse 7 | Not specified | Not specified |
| ADP | Red Hat | Red Hat JBoss Enterprise Application Platform Expansion Pack | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:11721 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39852.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:25089 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:34608 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:13631 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-39852 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9 | [email protected] | github.com | Vendor Advisory |
| access.redhat.com/errata/RHSA-2026:11720 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:17789 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-04-13T13:26:46.572Z | Reported to Red Hat. |
| ADP | 2026-05-04T00:00:00.000Z | Made public. |
Solutions
ADP: RHSA-2026:17789: Cryostat 4 on RHEL 9
ADP: RHSA-2026:25089: HawtIO HawtIO 4.4.0
ADP: RHSA-2026:13631: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27
ADP: RHSA-2026:11720: Red Hat build of Quarkus 3.20.6.SP1
ADP: RHSA-2026:11721: Red Hat build of Quarkus 3.27.3.SP1
ADP: RHSA-2026:34608: Streams for Apache Kafka 2.9.4
Workarounds
ADP: To mitigate this issue, configure a reverse proxy or load balancer in front of the Quarkus application to normalize incoming URL paths by stripping matrix parameters (semicolons) before requests reach the Quarkus security layer. This ensures that authorization checks are performed on the intended path. Ensure that any changes to proxy configurations are thoroughly tested and services are reloaded or restarted as necessary to apply the new settings.