CVE-2026-50559

Summary

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Affected Software

VendorProductVersion RangeStatus
quarkusioquarkus>= 3.36.0, < 3.36.3affected
quarkusioquarkus>= 3.33.0, < 3.33.2.1affected
quarkusioquarkus>= 3.27.0, < 3.27.4.1affected
quarkusioquarkus< 3.20.6.2affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-863: CWE-863: Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters

Additional References

References