Home

Description

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

PUBLISHED Reserved 2026-06-04 | Published 2026-06-19 | Updated 2026-06-19 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-287: Improper Authentication

CWE-863: Incorrect Authorization

Product status

>= 3.36.0, < 3.36.3
affected

>= 3.33.0, < 3.33.2.1
affected

>= 3.27.0, < 3.27.4.1
affected

< 3.20.6.2
affected

References

github.com/...uarkus/security/advisories/GHSA-qcxp-gm7m-4j5v

cve.org (CVE-2026-50559)

nvd.nist.gov (CVE-2026-50559)

Download JSON