Improper access control in Quarkus - CVE-2026-39852

 

Improper access control in Quarkus - CVE-2026-39852

Published: May 5, 2026


Vulnerability identifier: #VU129871
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-39852
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Red Hat Inc.
Affected software:
Quarkus

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authorization and access protected resources.

The vulnerability exists due to improper access control in the quarkus security layer and RESTEasy Reactive routing layer when handling HTTP requests containing matrix parameters. A remote attacker can append a semicolon and arbitrary text to the request URL to bypass authorization and access protected resources.

The issue is caused by a path-normalization inconsistency where authorization checks are performed on the raw URL path while routing strips matrix parameters before endpoint matching.


How to mitigate CVE-2026-39852

Install security update from vendor's website.

Sources