Main Vulnerability Database SB2026050719

SB2026050719 - IBM Enterprise Build of Quarkus update for Quarkus

Published: May 7, 2026

Security Bulletin ID SB2026050719

CSH Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper access control (CVE-ID: CVE-2026-39852)

The vulnerability allows a remote attacker to bypass authorization and access protected resources.

The vulnerability exists due to improper access control in the quarkus security layer and RESTEasy Reactive routing layer when handling HTTP requests containing matrix parameters. A remote attacker can append a semicolon and arbitrary text to the request URL to bypass authorization and access protected resources.

The issue is caused by a path-normalization inconsistency where authorization checks are performed on the raw URL path while routing strips matrix parameters before endpoint matching.

Remediation

Install update from vendor's website.

References

https://www.ibm.com/support/pages/node/7271919