PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-39852 quarkusio CVE debrief

CVE-2026-39852 is a high-severity vulnerability in Quarkus, a Java framework for building cloud-native applications. The vulnerability is caused by a path normalization inconsistency between the security layer and the routing layer, allowing unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. An attacker can append a semicolon and arbitrary text to a request URL to bypass policies protecting certain endpoints while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2 of Quarkus. The CVSS score for this vulnerability is 8.8, indicating a high severity.

Vendor
quarkusio
Product
quarkus
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-05
Original CVE updated
2026-06-30
Advisory published
2026-05-05
Advisory updated
2026-06-30

Who should care

Organizations using Quarkus for building cloud-native applications should be aware of this vulnerability and take steps to mitigate it. Specifically, administrators and developers of applications built with Quarkus should review their systems for potential exposure and apply the necessary patches. Security teams should also be aware of the potential for attackers to exploit this vulnerability to bypass authorization policies.

Technical summary

The vulnerability in Quarkus arises from a path normalization inconsistency between the security layer and the routing layer. The security layer performs authorization checks on the raw URL path, which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This inconsistency allows an attacker to bypass HTTP path-based authorization policies by appending a semicolon and arbitrary text to a request URL. For example, an attacker could send a request to /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.

Defensive priority

High priority should be given to applying patches to vulnerable Quarkus versions. In the meantime, defenders can consider implementing additional monitoring and logging to detect potential exploitation attempts.

Recommended defensive actions

  • Apply patches to vulnerable Quarkus versions (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2).
  • Review and update authorization policies to account for potential path normalization inconsistencies.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation attempts.
  • Conduct a thorough inventory of systems and applications built with Quarkus to identify potential exposure.

Evidence notes

The CVE-2026-39852 vulnerability was publicly disclosed on May 5, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple versions of Quarkus, and patches have been released to address the issue. The CVSS score for this vulnerability is 8.8, indicating a high severity.

Official resources

This article was generated with AI assistance based on the supplied source corpus.