CVE-2026-50559 - Vulnerability Details

Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Apache Camel Quarkus Quarkus

No data.

Package	CPE	Advisory	Released Date
Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1
quarkus-vertx-http	cpe:/a:redhat:apache_camel_quarkus:3.33	RHSA-2026:26586	2026-06-17T00:00:00Z
Red Hat build of Quarkus 3.20.6.SP2
quarkus-vertx-http	cpe:/a:redhat:quarkus:3.20::el8	RHSA-2026:26194	2026-06-17T00:00:00Z
Red Hat build of Quarkus 3.27.4.SP1
quarkus-vertx-http	cpe:/a:redhat:quarkus:3.27::el8	RHSA-2026:26018	2026-06-17T00:00:00Z
Red Hat build of Quarkus 3.33.2.SP1
quarkus-vertx-http	cpe:/a:redhat:quarkus:3.33::el8	RHSA-2026:26017	2026-06-17T00:00:00Z

References

Link	Providers
https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v
https://nvd.nist.gov/vuln/detail/CVE-2026-50559
https://www.cve.org/CVERecord?id=CVE-2026-50559

History

Fri, 19 Jun 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in Quarkus. A remote attacker could bypass HTTP path-based authorization policies by using specially crafted encoded semicolons, slashes, or backslashes in HTTP requests. This could allow unauthorized access to protected static resources, leading to information disclosure.	Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
Title	io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters	Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities
Weaknesses		CWE-287 CWE-863

Thu, 18 Jun 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Quarkus. A remote attacker could bypass HTTP path-based authorization policies by using specially crafted encoded semicolons, slashes, or backslashes in HTTP requests. This could allow unauthorized access to protected static resources, leading to information disclosure.
Title		io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters
First Time appeared		Redhat Redhat apache Camel Quarkus Redhat quarkus
Weaknesses		CWE-551
CPEs		cpe:/a:redhat:apache_camel_quarkus:3.33 cpe:/a:redhat:quarkus:3.20::el8 cpe:/a:redhat:quarkus:3.27::el8 cpe:/a:redhat:quarkus:3.33::el8
Vendors & Products		Redhat Redhat apache Camel Quarkus Redhat quarkus
References		https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v https://nvd.nist.gov/vuln/detail/CVE-2026-50559 https://www.cve.org/CVERecord?id=CVE-2026-50559
Metrics	threat_severity `None`	cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` threat_severity `Important`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-19T20:26:39.322Z

Updated: 2026-06-19T20:26:39.322Z

Reserved: 2026-06-04T21:34:34.426Z

Link: CVE-2026-50559

Vulnrichment

No data.

NVD

No data.

Redhat

Severity : Important

Publid Date: 2026-06-17T00:00:00Z

Links: CVE-2026-50559 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object