Home

Description

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-09 | Updated 2026-05-09 | Assigner GitHub_M




MEDIUM: 6.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 2.11.1-lts
affected

< 2.16.0-lts
affected

< 2.17.0
affected

References

github.com/...erator/security/advisories/GHSA-fr8f-rwjx-f32v

github.com/quarkiverse/quarkus-openapi-generator/pull/1586

github.com/...rkus-openapi-generator/releases/tag/2.11.1-lts

github.com/...rkus-openapi-generator/releases/tag/2.16.0-lts

github.com/.../quarkus-openapi-generator/releases/tag/2.17.0

cve.org (CVE-2026-42333)

nvd.nist.gov (CVE-2026-42333)

Download JSON