CVE-2026-39852

Quarkus authorization bypass via semicolon path normalization inconsistency

Description

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

INFO

Published Date :

2026-05-05T20:58:29.575Z

Last Modified :

2026-05-05T20:58:29.575Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-39852 vulnerability.

Vendors	Products
Redhat	Apache Camel Quarkus Quarkus

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-39852.

URL	Resource
https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Attack Requirements

Privileges Required

User Interaction

VS Confidentiality

VS Integrity

VS Availability

SS Confidentiality

SS Integrity

SS Availability