CVE-2026-39852 Overview
CVE-2026-39852 is an authorization bypass vulnerability in Quarkus, a Java framework for building cloud-native applications. The flaw stems from a path normalization inconsistency between the Quarkus security layer and the RESTEasy Reactive routing layer. The security layer evaluates authorization on the raw URL path including matrix parameters, while the routing layer strips matrix parameters before endpoint matching. Attackers can append a semicolon and arbitrary text to a URL such as /api/admin;anything to bypass HTTP path-based authorization policies while still reaching the protected endpoint. The issue is fixed in Quarkus versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2.
Critical Impact
Unauthenticated or lower-privileged attackers can bypass HTTP authorization policies and reach protected administrative endpoints over the network without user interaction.
Affected Products
- Quarkus versions prior to 3.20.6.1
- Quarkus versions prior to 3.27.3.1, 3.33.1.1, 3.35.1.1
- Quarkus versions prior to 3.34.7 and 3.35.2
Discovery Timeline
- 2026-05-05 - CVE-2026-39852 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-39852
Vulnerability Analysis
The vulnerability is classified under [CWE-863] Incorrect Authorization. Quarkus enforces HTTP path-based authorization policies before requests reach the routing layer. The security layer inspects the raw request URI, retaining matrix parameters introduced by semicolons. RESTEasy Reactive then performs route matching on a normalized path that strips those matrix parameters. This mismatch creates a parser differential between two trust boundaries within the same request pipeline.
An attacker who knows the path of a protected endpoint can craft a URL that the security layer treats as a different, unprotected resource. The routing layer then dispatches the request to the original protected handler. The result is direct, unauthenticated access to functionality that the application owner intended to restrict.
Root Cause
The root cause is divergent URL parsing semantics across two components in the request handling chain. The security filter compares the unnormalized path against configured policies such as those protecting /api/admin. The router applies RFC 3986 matrix parameter stripping before endpoint dispatch. A request to /api/admin;anything therefore evaluates as not matching the protected pattern at the policy layer but matches the admin handler at the routing layer.
Attack Vector
Exploitation requires only network access to the vulnerable application and a single crafted HTTP request. The attacker appends a semicolon followed by arbitrary characters to the path segment of any protected URL. No authentication, privileges, or user interaction are required. Detailed technical analysis is available in the Quarkus GitHub Security Advisory GHSA-rc95-pcm8-65v9.
Detection Methods for CVE-2026-39852
Indicators of Compromise
- HTTP request log entries containing semicolons within path segments targeting protected routes, for example /api/admin;x or /management;test.
- Successful HTTP 200 responses to administrative endpoints from clients that have not completed authentication or lack expected role claims.
- Unexpected access to RESTEasy Reactive endpoints originating from external IP addresses outside normal administrative source ranges.
Detection Strategies
- Inspect access logs and reverse-proxy logs for path components containing the ; character, especially preceding sensitive routes.
- Correlate authentication audit events with handler invocation logs to identify cases where a protected handler executed without a corresponding successful authorization decision.
- Deploy WAF or API gateway rules that flag or reject requests where matrix parameters appear in path segments associated with administrative APIs.
Monitoring Recommendations
- Forward Quarkus application and access logs into a centralized analytics platform and alert on semicolon characters in path segments targeting non-public endpoints.
- Track baseline access patterns for administrative routes and alert on anomalous request volumes or unauthenticated source identities.
- Monitor for elevated 4xx-to-2xx ratio shifts on admin paths, which may indicate probing followed by successful bypass.
How to Mitigate CVE-2026-39852
Immediate Actions Required
- Upgrade Quarkus to one of the fixed versions: 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, or 3.35.2, selecting the release line aligned with your current deployment.
- Audit application access logs for historical requests containing semicolons in path segments targeting protected endpoints to identify possible prior exploitation.
- Review and tighten HTTP authorization policy definitions to confirm coverage of all sensitive routes after upgrade.
Patch Information
The Quarkus maintainers released fixes in versions 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2. The corrections align path normalization between the security layer and RESTEasy Reactive routing so that matrix parameters are handled consistently during authorization evaluation. See the Quarkus GitHub Security Advisory GHSA-rc95-pcm8-65v9 for the official remediation notice.
Workarounds
- Place a reverse proxy or API gateway in front of Quarkus and configure it to reject or normalize requests whose path segments contain ; characters before forwarding.
- Implement role-based authorization checks within handler methods using annotations such as @RolesAllowed rather than relying solely on HTTP path-based policies.
- Restrict network exposure of administrative endpoints to trusted internal networks until the patched version is deployed.
# Example NGINX rule to block matrix parameters on admin paths until patched
location ~* "^/api/admin.*;" {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
