Main Vulnerability Database Vulnerabilities #VU129871

Improper access control in Quarkus - CVE-2026-39852

Published: May 5, 2026

Vulnerability identifier: #VU129871

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-39852

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Quarkus

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote attacker to bypass authorization and access protected resources.

The vulnerability exists due to improper access control in the quarkus security layer and RESTEasy Reactive routing layer when handling HTTP requests containing matrix parameters. A remote attacker can append a semicolon and arbitrary text to the request URL to bypass authorization and access protected resources.

The issue is caused by a path-normalization inconsistency where authorization checks are performed on the raw URL path while routing strips matrix parameters before endpoint matching.

Remediation

Install security update from vendor's website.

External links

https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9

Improper access control in Quarkus - CVE-2026-39852

Description

Remediation

External links

Please verify you're human