CVE-2026-39852— Quarkus authorization bypass via semicolon path normalization inconsistency

Quarkus authorization bypass via semicolon path normalization inconsistency

Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

N/A

授权机制不正确

Quarkus 安全漏洞

Quarkus是Quarkus开源的一个用于编写 Java 应用程序的云原生 (Linux) 容器优先框架。 Quarkus存在安全漏洞，该漏洞源于安全层和路由层之间的路径规范化不一致，允许未经身份验证或低权限用户绕过基于HTTP路径的授权策略。以下版本受到影响：3.20.6.1之前版本、3.27.3.1之前版本、3.33.1.1之前版本、3.35.1.1之前版本、3.34.7之前版本和3.35.2之前版本。

N/A

N/A