Description

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

INFO

Published Date :

2026-01-15T20:50:25.642Z

Last Modified :

2026-01-15T21:09:22.172Z

Source :

eclipse
AFFECTED PRODUCTS

The following products are affected by CVE-2026-1002 vulnerability.

Vendors Products
Eclipse
  • Vert.x
  • Vert.x Core
Eclipse Foundation
  • Vert.x
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-1002.

URL Resource
https://github.com/eclipse-vertx/vert.x/pull/5895 cve-icon cve-icon cve-icon
https://github.com/vert-x3/vertx-web/issues/2836 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2026-1002 cve-icon
https://www.cve.org/CVERecord?id=CVE-2026-1002 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact