SB2026052541 - Multiple vulnerabilities in Red Hat build of Quarkus 3.27.3
Published: May 25, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-39852)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to bypass authorization and access protected resources.
The vulnerability exists due to improper access control in the quarkus security layer and RESTEasy Reactive routing layer when handling HTTP requests containing matrix parameters. A remote attacker can append a semicolon and arbitrary text to the request URL to bypass authorization and access protected resources.
The issue is caused by a path-normalization inconsistency where authorization checks are performed on the raw URL path while routing strips matrix parameters before endpoint matching.
2) LDAP injection (CVE-ID: CVE-2026-0636)
CWE-ID: CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to manipulate LDAP queries.
The vulnerability exists due to improper neutralization of special elements used in an LDAP query in LDAPStoreHelper when processing user-supplied input for LDAP queries. A remote attacker can supply crafted input to manipulate LDAP queries.
This issue is associated with the prov modules.
3) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-5588)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass signature verification.
The vulnerability exists due to use of a broken or risky cryptographic algorithm in the PKIX draft CompositeVerifier when processing composite signatures. A remote attacker can provide an empty signature sequence to bypass signature verification.
4) Incorrect calculation (CVE-ID: CVE-2025-14813)
CWE-ID: CWE-682 - Incorrect Calculation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause cryptographic operations to fail.
The vulnerability exists due to improper implementation in G3413CTRBlockCipher when encrypting or decrypting more than 255 blocks. A remote attacker can supply data that exceeds this limit to cause cryptographic operations to fail.
The issue affects the GOST-R-3413-2015 CTR mode implementation because it uses a single-byte counter instead of a counter size aligned with the algorithm definition.
5) Race condition (CVE-ID: CVE-2026-35554)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. A remote attacker can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
Remediation
Install update from vendor's website.