PatchSiren cyber security CVE debrief
CVE-2026-39852 quarkusio CVE debrief
CVE-2026-39852 is a high-severity vulnerability in Quarkus, a Java framework for building cloud-native applications. The vulnerability is caused by a path normalization inconsistency between the security layer and the routing layer, allowing unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. An attacker can append a semicolon and arbitrary text to a request URL to bypass policies protecting certain endpoints while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2 of Quarkus. The CVSS score for this vulnerability is 8.8, indicating a high severity.
- Vendor
- quarkusio
- Product
- quarkus
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-05
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-05-05
- Advisory updated
- 2026-06-30
Who should care
Organizations using Quarkus for building cloud-native applications should be aware of this vulnerability and take steps to mitigate it. Specifically, administrators and developers of applications built with Quarkus should review their systems for potential exposure and apply the necessary patches. Security teams should also be aware of the potential for attackers to exploit this vulnerability to bypass authorization policies.
Technical summary
The vulnerability in Quarkus arises from a path normalization inconsistency between the security layer and the routing layer. The security layer performs authorization checks on the raw URL path, which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This inconsistency allows an attacker to bypass HTTP path-based authorization policies by appending a semicolon and arbitrary text to a request URL. For example, an attacker could send a request to /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.
Defensive priority
High priority should be given to applying patches to vulnerable Quarkus versions. In the meantime, defenders can consider implementing additional monitoring and logging to detect potential exploitation attempts.
Recommended defensive actions
- Apply patches to vulnerable Quarkus versions (3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2).
- Review and update authorization policies to account for potential path normalization inconsistencies.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Consider implementing compensating controls, such as Web Application Firewalls (WAFs), to detect and prevent exploitation attempts.
- Conduct a thorough inventory of systems and applications built with Quarkus to identify potential exposure.
Evidence notes
The CVE-2026-39852 vulnerability was publicly disclosed on May 5, 2026, and has since been modified on June 30, 2026. The vulnerability affects multiple versions of Quarkus, and patches have been released to address the issue. The CVSS score for this vulnerability is 8.8, indicating a high severity.
Official resources
-
CVE-2026-39852 CVE record
CVE.org
-
CVE-2026-39852 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article was generated with AI assistance based on the supplied source corpus.