EXECUTIVE SUMMARY:
CVE-2026-39852 with a CVSS score of 8.2 is a vulnerability in the Quarkus framework for Java, where unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies in affected versions. The issue is caused by a path-normalization inconsistency between the security layer and the routing layer, allowing attackers to append a semicolon and arbitrary text to a request URL to bypass policies protecting specific endpoints. This vulnerability arises from the fact that Quarkus's security layer performs authorization checks on the raw URL path, which preserves matrix parameters, while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. As a result, an attacker with no access requirements can exploit this vulnerability to gain unauthorized access to protected resources, leading to Authentication/Authorization bypasses. The business impact and consequences of this vulnerability include potential unauthorized access to sensitive data, compromised system integrity, and disruption of business operations. No user interaction or privileges are required to exploit this vulnerability, and it can be leveraged via a network attack vector.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-39852 with a CVSS score of 8.2 is a vulnerability in the Quarkus framework for Java, where unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies in affected versions. The issue is caused by a path-normalization inconsistency between the security layer and the routing layer, allowing attackers to append a semicolon and arbitrary text to a request URL to bypass policies protecting specific endpoints. This vulnerability arises from the fact that Quarkus's security layer performs authorization checks on the raw URL path, which preserves matrix parameters, while RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. As a result, an attacker with no access requirements can exploit this vulnerability to gain unauthorized access to protected resources, leading to Authentication/Authorization bypasses. The business impact and consequences of this vulnerability include potential unauthorized access to sensitive data, compromised system integrity, and disruption of business operations. No user interaction or privileges are required to exploit this vulnerability, and it can be leveraged via a network attack vector.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-rc95-pcm8-65v9