Path-Based Authorization Bypass in Quarkus Java Framework
CVE-2026-50559
7.5HIGH
What is CVE-2026-50559?
Quarkus, a popular Java framework for cloud-native applications, is susceptible to a security flaw that permits the bypassing of HTTP path-based authorization policies. This vulnerability allows unauthenticated users to access protected static resources by exploiting encoded semicolons (%3B), slashes (%2F), or backslashes (%5C) to smuggle matrix parameters past security measures. Affected users are urged to upgrade to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, or 3.20.6.2, which contain fixes for this issue.
Affected Version(s)
quarkus >= 3.36.0, < 3.36.3 < 3.36.0, 3.36.3
quarkus >= 3.33.0, < 3.33.2.1 < 3.33.0, 3.33.2.1
quarkus >= 3.27.0, < 3.27.4.1 < 3.27.0, 3.27.4.1