CVE-2026-50559

HIGH

Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities

Title source: cna
STIX 2.1

Description

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Scores

CVSS v3 7.5
EPSS 0.0039
EPSS Percentile 31.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-287 CWE-551 CWE-863
Status published
Products (5)
quarkus/quarkus < 3.20.6.2
quarkusio/quarkus < 3.20.6.2
quarkusio/quarkus >= 3.27.0, < 3.27.4.1
quarkusio/quarkus >= 3.33.0, < 3.33.2.1
quarkusio/quarkus >= 3.36.0, < 3.36.3
Published Jun 19, 2026
Tracked Since Jun 20, 2026