Main Vulnerability Database Vulnerabilities #VU134739

Improper Resolution of Path Equivalence in Quarkus - CVE-2026-50559

Published: June 17, 2026

Vulnerability identifier: #VU134739

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-50559

CWE-ID: CWE-41

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Quarkus

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper resolution of path equivalence in AbstractPathMatchingHttpSecurityPolicy and static resource handlers when handling crafted request paths containing encoded semicolons, slashes, or backslashes. A remote attacker can send a specially crafted request to disclose sensitive information.

Path-based authorization policies can be bypassed via encoded semicolons on protected endpoints, while protected static resources can be exposed via encoded slashes, backslashes, or double-encoded path separators. REST endpoints using Quarkus REST are not affected by the encoded slash and backslash vectors because routing and security use the same normalized path.

How to mitigate CVE-2026-50559

Install security update from vendor's website.

Sources

https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v

Improper Resolution of Path Equivalence in Quarkus - CVE-2026-50559

Detailed vulnerability description

How to mitigate CVE-2026-50559

Sources

Please verify you're human