CVE-2026-50559 Overview
CVE-2026-50559 is an authentication bypass vulnerability in Quarkus, a Java framework for building cloud-native applications. Attackers can bypass HTTP path-based authorization policies using encoded semicolons (%3B) to smuggle matrix parameters past the security layer. Encoded slashes (%2F) and backslashes (%5C) also allow unauthorized access to protected static resources. This issue is distinct from CVE-2026-39852, which only addressed literal semicolon stripping. The vulnerability is classified under [CWE-287] (Improper Authentication).
Critical Impact
Unauthenticated remote attackers can bypass URL-based security constraints and access protected endpoints or static resources without valid credentials.
Affected Products
- Quarkus versions prior to 3.37.0
- Quarkus versions prior to 3.36.3, 3.33.2.1, 3.33.3
- Quarkus versions prior to 3.27.4.1, 3.27.5, and 3.20.6.2
Discovery Timeline
- 2026-06-19 - CVE-2026-50559 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-50559
Vulnerability Analysis
The vulnerability resides in how Quarkus normalizes HTTP request paths before applying authorization decisions. The security layer evaluates request URIs against configured path-based authorization policies. When an attacker submits a URI containing percent-encoded characters, the authorization layer evaluates the encoded form while downstream routing decodes them. This inconsistency allows an attacker to construct URIs that appear unprotected to the security layer but resolve to protected resources at the application layer.
The flaw is a follow-on to CVE-2026-39852. That earlier fix removed literal semicolons used to smuggle matrix parameters but did not address percent-encoded variants. As a result, requests containing %3B, %2F, or %5C continued to bypass policy enforcement.
Root Cause
The root cause is inconsistent URI canonicalization between the authorization layer and the request dispatcher. The authorization code path does not decode percent-encoded reserved characters before pattern matching. Downstream components decode the same characters when resolving the target resource, producing a parsing mismatch that defeats path-based access controls.
Attack Vector
An unauthenticated remote attacker sends a crafted HTTP request to a Quarkus application that uses path-based authorization. By substituting %3B for ;, %2F for /, or %5C for \ inside the request URI, the attacker traverses or alters the path the security layer evaluates. The encoded request reaches a protected endpoint or static resource without authentication. No user interaction or privileges are required. See the GitHub Security Advisory GHSA-qcxp-gm7m-4j5v for the upstream technical description.
Detection Methods for CVE-2026-50559
Indicators of Compromise
- HTTP access logs containing %3B, %2F, or %5C sequences in request URIs targeting authenticated routes
- Successful HTTP 200 responses to protected paths from clients that did not present valid credentials or sessions
- Requests to static resource paths containing encoded slashes or backslashes immediately preceding sensitive file names
Detection Strategies
- Inspect web server and reverse proxy logs for encoded reserved characters in URIs and correlate them with authorization outcomes
- Compare the URI seen by the authorization filter against the resolved target resource to identify normalization mismatches
- Alert on requests where matrix parameters appear after encoded semicolons in paths that map to protected Quarkus routes
Monitoring Recommendations
- Enable verbose HTTP access logging on Quarkus applications and forward logs to a centralized analytics platform for retention and querying
- Add Web Application Firewall (WAF) rules that flag or block requests containing %3B, %2F, or %5C in URI path segments
- Monitor authentication subsystem metrics for requests reaching protected handlers without a preceding authentication event
How to Mitigate CVE-2026-50559
Immediate Actions Required
- Upgrade Quarkus to a patched release: 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, or 3.20.6.2
- Audit application path-based authorization rules and confirm no protected endpoints are reachable via encoded path manipulations
- Review HTTP access logs for prior requests containing %3B, %2F, or %5C against sensitive paths
Patch Information
The Quarkus project released fixes in versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2. The patches normalize percent-encoded reserved characters before authorization evaluation. Refer to the Quarkus GitHub Security Advisory for release notes and commit references.
Workarounds
- Deploy a reverse proxy or WAF in front of Quarkus that rejects or normalizes requests containing encoded path separators and semicolons before they reach the application
- Replace path-based authorization with role-based annotations on individual endpoints where feasible to avoid reliance on URI pattern matching
- Restrict exposure of static resource directories at the proxy layer until the Quarkus runtime is upgraded
# Example NGINX rule to block encoded path manipulation characters
if ($request_uri ~* "(%3B|%2F|%5C)") {
return 400;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

