8.8

CVE-2026-39852

Quarkus authorization bypass via semicolon path normalization inconsistency

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
QuarkusQuarkus Version < 3.20.6.1
QuarkusQuarkus Version >= 3.21.0 < 3.27.3.1
QuarkusQuarkus Version >= 3.28.0 < 3.33.1.1
QuarkusQuarkus Version >= 3.34.0 < 3.34.7
QuarkusQuarkus Version >= 3.35.0 < 3.35.2
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.44% 0.356
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
security-advisories@github.com 8.8 0 0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.2 3.9 4.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:25089
https://access.redhat.com/errata/RHSA-2026:17789
https://access.redhat.com/errata/RHSA-2026:11720
https://access.redhat.com/errata/RHSA-2026:11721
https://access.redhat.com/errata/RHSA-2026:13631
https://access.redhat.com/security/cve/CVE-2026-39852
https://bugzilla.redhat.com/show_bug.cgi?id=2457819
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-39852.json
https://access.redhat.com/errata/RHSA-2026:34608