SB2026050573 - Improper access control in Quarkus

Security Bulletin ID SB2026050573

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2026-39852)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

The vulnerability allows a remote attacker to bypass authorization and access protected resources.

The vulnerability exists due to improper access control in the quarkus security layer and RESTEasy Reactive routing layer when handling HTTP requests containing matrix parameters. A remote attacker can append a semicolon and arbitrary text to the request URL to bypass authorization and access protected resources.

The issue is caused by a path-normalization inconsistency where authorization checks are performed on the raw URL path while routing strips matrix parameters before endpoint matching.

Remediation

Install update from vendor's website.

References

https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9