PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42333 Unknown Vendor CVE debrief

CVE-2026-42333 affects Quarkus OpenAPI Generator and can cause generated authentication filters to send credentials to unintended endpoints. The issue is an authorization-matching flaw rather than a remote code execution problem, but it can still expose bearer tokens, API keys, or basic credentials to the wrong same-method path.

Vendor
Unknown Vendor
Product
Unknown
CVSS
MEDIUM 6.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

Teams that generate Quarkus REST clients or server stubs from OpenAPI specs, especially where sensitive credentials are attached automatically and where multiple operations share similar path shapes or HTTP methods.

Technical summary

According to the advisory summary, the generated authentication filter matched OpenAPI path templates too broadly when deciding whether to attach credentials. As a result, a security scheme configured for one operation could be applied to a different operation that uses the same HTTP method and only partially resembles the protected template. The consequence is credential leakage to unintended endpoints, which the advisory maps to CWE-200.

Defensive priority

Medium. Treat as a priority fix if generated code handles production credentials or if your API definitions contain similarly shaped routes. The risk is disclosure of secrets to endpoints that should not receive them, so patching and regenerating code should be done promptly.

Recommended defensive actions

  • Upgrade to a fixed version: 2.11.1-lts, 2.16.0-lts, or 2.17.0, depending on your supported branch.
  • Regenerate any clients or server stubs after upgrading; the vulnerable behavior is in generated authentication logic.
  • Review OpenAPI specs and generated auth configuration for same-method routes with similar path templates.
  • Test that credentials are only attached to the intended operations after regeneration.
  • If you suspect credentials may have been sent to unintended endpoints, rotate or revoke affected bearer tokens, API keys, or basic-auth credentials.
  • Monitor application and proxy logs for unexpected outbound requests that include authentication headers or parameters.

Evidence notes

The description is supported by the CVE record and the linked GitHub advisory/release references. The NVD record shows CVE publication on 2026-05-09T20:16:28.780Z and identifies CWE-200. The advisory references include the pull request that fixed the issue and the release tags for the patched branches. No additional exploitation details were used.

Official resources

Publicly disclosed on 2026-05-09; fixed versions are 2.11.1-lts, 2.16.0-lts, and 2.17.0.