Quarkus authorization bypass via semicolon path normalization inconsistency_CVE-2026-39852

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Description

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

AI Analysis

Path normalization inconsistency allowing unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies

Basic Information

ID CVE-2026-39852

Source GitHub_M

Published May 5, 2026 at 20:58

Affected Product

Vendor quarkusio

Product quarkus

Version < 3.20.6.1

Affected Versions quarkusio quarkus < 3.20.6.1
quarkusio quarkus >= 3.27.3.0, < 3.27.3.1
quarkusio quarkus >= 3.34.0, < 3.34.7
quarkusio quarkus >= 3.35.0, < 3.35.2

CWE Classification

CWE-863

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Red Hat

Product Quarkus

Version < 3.20.6.1, < 3.27.3.1, < 3.33.1.1, < 3.35.1.1, < 3.34.7, < 3.35.2

References

github.com /quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9

{
    "lastseen": "",
    "description": "Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.",
    "published": "2026-05-05T20:58:29.575Z",
    "modified": "2026-05-05T20:58:29.575Z",
    "type": "cve",
    "title": "Quarkus authorization bypass via semicolon path normalization inconsistency",
    "source": "GitHub_M",
    "references": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9",
    "id": "CVE-2026-39852",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "quarkusio quarkus < 3.20.6.1\nquarkusio quarkus >= 3.27.3.0, < 3.27.3.1\nquarkusio quarkus >= 3.34.0, < 3.34.7\nquarkusio quarkus >= 3.35.0, < 3.35.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "quarkus",
    "version": "< 3.20.6.1",
    "vendor": "quarkusio",
    "ai_description": "Path normalization inconsistency allowing unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies",
    "ai_severity": "High",
    "ai_vendor": "Red Hat",
    "ai_product": "Quarkus",
    "ai_version": "< 3.20.6.1, < 3.27.3.1, < 3.33.1.1, < 3.35.1.1, < 3.34.7, < 3.35.2",
    "ai_score": 8.8
}