Path-based Authorization Bypass in Quarkus Java Framework
CVE-2026-39852

8.8HIGH

Key Information:

Vendor: Quarkusio
Status: Quarkus
Vendor: CVE Published:; 5 May 2026

What is CVE-2026-39852?

Quarkus, a cloud-native Java framework, possesses a vulnerability related to path normalization inconsistencies between its security and routing layers. In affected versions, an unauthorized user can exploit this flaw by appending semicolons and arbitrary text to a request URL, resulting in the bypass of HTTP path-based authorization policies. This occurs because the security layer validates the raw URL path with matrix parameters preserved, while the routing layer strips these parameters during endpoint matching. Consequently, an attacker can gain access to protected resources without proper authorization. The issue has been remediated in several recent updates.

Affected Version(s)

quarkus < 3.20.6.1 < 3.20.6.1

quarkus >= 3.27.3.0, < 3.27.3.1 < 3.27.3.0, 3.27.3.1

quarkus >= 3.34.0, < 3.34.7 < 3.34.0, 3.34.7

References

https://github.com/quarkusio/quarkus/security/advisories/...

x_refsource_CONFIRM

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 5, 2026
Vulnerability Reserved
Apr 7, 2026

CVE-2026-39852 Data

JSON

Quarkusio

What is CVE-2026-39852?

Affected Version(s)

References

CVSS V4

Timeline