7.5
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
Basic Information
ID
CVE-2026-50559
Source
GitHub_M
Published
Jun 19, 2026 at 20:26
Affected Product
Vendor
quarkusio
Product
quarkus
Version
>= 3.36.0, < 3.36.3
Affected Versions
quarkusio quarkus >= 3.36.0, < 3.36.3
quarkusio quarkus >= 3.33.0, < 3.33.2.1
quarkusio quarkus >= 3.27.0, < 3.27.4.1
quarkusio quarkus < 3.20.6.2
quarkusio quarkus >= 3.33.0, < 3.33.2.1
quarkusio quarkus >= 3.27.0, < 3.27.4.1
quarkusio quarkus < 3.20.6.2