HIGH🇵🇱 Wersja polska

CVE-2026-50559

CVSS 7.5v3.1pub. 2026-06-19upd. 2026-07-03

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Quarkus

    APP
    Quarkus
    < 3.20.6.23.21.0 – 3.27.4.1 (bez)3.28.0 – 3.33.2.1 (bez)3.34.0 – 3.36.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2024-12225CRITICAL9.1PL ✓ten sam produkt

Quarkus WebAuthn: pominięcie uwierzytelnienia przez domyślne endpointy REST

CVE-2022-4116CRITICAL9.8ten sam produkt

A vulnerability was found in quarkus. This security flaw happens in Dev UI Config Editor which is vulnerable t...

CVE-2022-2466CRITICAL9.8ten sam produkt

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictab...

CVE-2021-26291CRITICAL9.1ten sam produkt

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may ...

CVE-2026-39852HIGH8.8ten sam produkt

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3...