SB2026061748 - Improper Resolution of Path Equivalence in Quarkus

Security Bulletin ID SB2026061748

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Information disclosure

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) Improper Resolution of Path Equivalence (CVE-ID: CVE-2026-50559)

CWE-ID: CWE-41 - Improper Resolution of Path Equivalence

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper resolution of path equivalence in AbstractPathMatchingHttpSecurityPolicy and static resource handlers when handling crafted request paths containing encoded semicolons, slashes, or backslashes. A remote attacker can send a specially crafted request to disclose sensitive information.

Path-based authorization policies can be bypassed via encoded semicolons on protected endpoints, while protected static resources can be exposed via encoded slashes, backslashes, or double-encoded path separators. REST endpoints using Quarkus REST are not affected by the encoded slash and backslash vectors because routing and security use the same normalized path.

Remediation

Install update from vendor's website.

References

https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v