CVE-2026-39852: CWE-863: Incorrect Authorization in quarkusio quarkus
CVE-2026-39852 is a high-severity vulnerability in the Quarkus Java framework affecting multiple versions prior to specific patched releases. It arises from a path normalization inconsistency between the security and routing layers, allowing unauthorized users to bypass HTTP path-based authorization by appending semicolon and arbitrary text to URLs. This bypass enables access to protected endpoints without proper authorization. The issue has been fixed in versions 3. 20. 6. 1, 3. 27. 3. 1, 3.
AI Analysis
Technical Summary
Quarkus versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2 contain a CWE-863 Incorrect Authorization vulnerability due to a path normalization inconsistency. The security layer authorizes requests based on the raw URL path including matrix parameters (semicolon and following text), while the RESTEasy Reactive routing layer strips these parameters before endpoint matching. This discrepancy allows attackers to append a semicolon and arbitrary text to URLs (e.g., /api/admin;anything) to bypass authorization policies protecting sensitive endpoints. The vulnerability has a CVSS 4.0 score of 8.8 (high severity), indicating network attack vector, no privileges or user interaction required, and high impact on confidentiality. The issue is fixed in the specified patched versions.
Potential Impact
An attacker can bypass HTTP path-based authorization policies in affected Quarkus versions by exploiting the path normalization inconsistency, potentially gaining unauthorized access to protected endpoints. This can lead to unauthorized information disclosure or unauthorized actions within applications using vulnerable Quarkus versions. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network.
Mitigation Recommendations
The vulnerability has been fixed in Quarkus versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. Users should upgrade to one of these patched versions to remediate the issue. Patch status is not explicitly confirmed beyond these fixed versions; therefore, verify with official Quarkus advisories for the latest remediation guidance. No other vendor mitigation or temporary fixes are indicated.
CVE-2026-39852: CWE-863: Incorrect Authorization in quarkusio quarkus
Description
CVE-2026-39852 is a high-severity vulnerability in the Quarkus Java framework affecting multiple versions prior to specific patched releases. It arises from a path normalization inconsistency between the security and routing layers, allowing unauthorized users to bypass HTTP path-based authorization by appending semicolon and arbitrary text to URLs. This bypass enables access to protected endpoints without proper authorization. The issue has been fixed in versions 3. 20. 6. 1, 3. 27. 3. 1, 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Quarkus versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2 contain a CWE-863 Incorrect Authorization vulnerability due to a path normalization inconsistency. The security layer authorizes requests based on the raw URL path including matrix parameters (semicolon and following text), while the RESTEasy Reactive routing layer strips these parameters before endpoint matching. This discrepancy allows attackers to append a semicolon and arbitrary text to URLs (e.g., /api/admin;anything) to bypass authorization policies protecting sensitive endpoints. The vulnerability has a CVSS 4.0 score of 8.8 (high severity), indicating network attack vector, no privileges or user interaction required, and high impact on confidentiality. The issue is fixed in the specified patched versions.
Potential Impact
An attacker can bypass HTTP path-based authorization policies in affected Quarkus versions by exploiting the path normalization inconsistency, potentially gaining unauthorized access to protected endpoints. This can lead to unauthorized information disclosure or unauthorized actions within applications using vulnerable Quarkus versions. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network.
Mitigation Recommendations
The vulnerability has been fixed in Quarkus versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. Users should upgrade to one of these patched versions to remediate the issue. Patch status is not explicitly confirmed beyond these fixed versions; therefore, verify with official Quarkus advisories for the latest remediation guidance. No other vendor mitigation or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T19:13:20.378Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa5fd1cbff5d8610282e46
Added to database: 5/5/2026, 9:23:29 PM
Last enriched: 5/5/2026, 9:36:38 PM
Last updated: 5/5/2026, 10:30:29 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.