CVE-2026-39852HIGH 8.2EPSS p17.6%

CVE-2026-39852CVE-2026-39852

Description

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.27% probability of exploitation · percentile 17.6% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-08

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-1247
CVE
CVE-2026-33808
CVE
CVE-2026-40912
CVE
CVE-2026-22733
CVE
CVE-2026-41847
CVE
CVE-2026-41843
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.