Quarkus Path Normalization Bypass (unpatched < v3.20.6.1)
CVE-2026-39852 Published on May 5, 2026

Quarkus authorization bypass via semicolon path normalization inconsistency
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. Quarkus's security layer performs authorization checks on the raw URL path which preserves matrix parameters (semicolons), while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. An attacker can append a semicolon and arbitrary text to a request URL (e.g., /api/admin;anything) to bypass policies protecting /api/admin while still routing to the protected endpoint. This issue has been fixed in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.

NVD

Vulnerability Analysis

CVE-2026-39852 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and a high impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
NONE
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
LOW
Availability Impact:
HIGH

Weakness Types

What is an AuthZ Vulnerability?

The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVE-2026-39852 has been classified to as an AuthZ vulnerability or weakness.

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.


Products Associated with CVE-2026-39852

Want to know whenever a new CVE is published for Red Hat products? stack.watch will email you.

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Affected Versions

quarkusio quarkus: Red Hat Cryostat 4 on RHEL 9: Red Hat HawtIO HawtIO 4.4.0: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27: Red Hat build of Quarkus 3.20.6.SP1: Red Hat build of Quarkus 3.27.3.SP1: Red Hat OpenShift Serverless: Red Hat build of Apache Camel 4 for Quarkus 3: Red Hat build of Apicurio Registry 2: Red Hat build of Apicurio Registry 3: Red Hat build of Debezium 3: Red Hat build of OptaPlanner 8: Red Hat OpenShift AI (RHOAI): Red Hat Process Automation 7: Red Hat streams for Apache Kafka 2: Red Hat streams for Apache Kafka 3: Red Hat Build of Keycloak: Red Hat Fuse 7: Red Hat JBoss Enterprise Application Platform Expansion Pack:

Exploit Probability

EPSS
0.27%
Percentile
17.64%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.