Back to overview

CVE-2026-50559

HIGH
7.5
CVSS 3.1
Description
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Metadata

CVE ID
CVE-2026-50559
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-04 21:34 UTC
Published
2026-06-19 20:26 UTC
Last updated
2026-06-19 20:26 UTC
Primary CWE
CWE-287
CWE-287: Improper Authentication
Vendor / Product
quarkusio / quarkus
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
quarkusio quarkus >= 3.36.0, < 3.36.3, >= 3.33.0, < 3.33.2.1, >= 3.27.0, < 3.27.4.1, < 3.20.6.2
Weakness (CWE)
CWESourceDescription
CWE-287 cna CWE-287: Improper Authentication
CWE-863 cna CWE-863: Incorrect Authorization
CVSS scores (1)
ScoreSeverityVersionSourceVector
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
References (1)
Back to overview