CVE-2026-50559

Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities

Assigner: GitHub_M
Reserved: 04.06.2026 Published: 19.06.2026 Updated: 19.06.2026

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	quarkusio
Product	quarkus
Versions	Version >= 3.36.0, < 3.36.3 is affected Version >= 3.33.0, < 3.33.2.1 is affected Version >= 3.27.0, < 3.27.4.1 is affected Version < 3.20.6.2 is affected

Vendor

quarkusio

Product

quarkus

Versions

Version >= 3.36.0, < 3.36.3 is affected
Version >= 3.33.0, < 3.33.2.1 is affected
Version >= 3.27.0, < 3.27.4.1 is affected
Version < 3.20.6.2 is affected

References

Problem Types

CWE-287: Improper Authentication CWE
CWE-863: Incorrect Authorization CWE

CVE-2026-50559 PUBLISHED

Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities

Metrics

Product Status

References

Problem Types