Authentication Filter Vulnerability in Quarkus OpenAPI Generator
CVE-2026-42333

6.3MEDIUM

Key Information:

Vendor

Quarkiverse

Status
Quarkus-openapi-generator
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42333?

The Quarkus OpenAPI Generator contains an improper authentication vulnerability where the authentication filter overly broadens its match for OpenAPI path templates. This allows authentication credentials, such as bearer tokens or API keys, associated with one operation to be mistakenly applied to different endpoints that only partially match the path. Consequently, this poses a risk of exposing sensitive data to unintended services. The vulnerability has been addressed in the updated versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.

Affected Version(s)

quarkus-openapi-generator < 2.11.1-lts < 2.11.1-lts

quarkus-openapi-generator < 2.16.0-lts < 2.16.0-lts

quarkus-openapi-generator < 2.17.0 < 2.17.0

References

https://github.com/quarkiverse/quarkus-openapi-generator/...
x_refsource_CONFIRM
https://github.com/quarkiverse/quarkus-openapi-generator/...
x_refsource_MISC
https://github.com/quarkiverse/quarkus-openapi-generator/...
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.