CVE-2026-50559
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| quarkusio | quarkus | >= 3.36.0, < 3.36.3 | affected |
| quarkusio | quarkus | >= 3.33.0, < 3.33.2.1 | affected |
| quarkusio | quarkus | >= 3.27.0, < 3.27.4.1 | affected |
| quarkusio | quarkus | < 3.20.6.2 | affected |
Weaknesses
- CWE-287: CWE-287: Improper Authentication
- CWE-863: CWE-863: Incorrect Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters
Additional References
- https://access.redhat.com/security/cve/CVE-2026-50559
- https://bugzilla.redhat.com/show_bug.cgi?id=2486959
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50559.json
- https://access.redhat.com/errata/RHSA-2026:26586
- https://access.redhat.com/errata/RHSA-2026:26194
- https://access.redhat.com/errata/RHSA-2026:26018
- https://access.redhat.com/errata/RHSA-2026:26017
- https://access.redhat.com/errata/RHSA-2026:34608
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.