Description
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.


The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895



Steps to reproduce
Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html

Mitgation
Disabling Static Handler cache fixes the issue.



StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);
Published: 2026-01-15
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Patch
AI Analysis

Impact

An attacker can craft a request URI that manipulates the Vert.x Web static handler cache so that legitimate static files are denied with a 404 response. The flaw originates from an improper implementation of the C rule in RFC3986, allowing static file access to be inadvertently blocked. This results in an availability denial for the affected resources but does not grant any code execution or information disclosure.

Affected Systems

The vulnerability affects applications built with Eclipse Vert.x Web that use the static handler component with caching enabled. Any version of Vert.x Web using the default static handler configuration is potentially impacted, since the issue resides in the Vert.x Core component used by Vert.x Web. No specific version numbers are listed, so all deployments should review whether the static handler cache is enabled.

Risk and Exploitability

The flaw carries a CVSS score of 6.9, indicating medium severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation in the wild. The vulnerability is not cataloged in the CISA KEV list. Exploitation requires only the ability to request URLs on the vulnerable server; no authentication or special privileges are needed. The attacker can simply send a specially crafted URL such as "https://example.com/foo/bar%2F..%2Findex.html" to trigger the denial of access.

Generated by OpenCVE AI on April 18, 2026 at 05:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Vert.x Core and Vert.x Web release that includes the fix for the static handler cache issue.
  • If an update is not yet available, disable static handler caching by configuring the static handler with setCachingEnabled(false).
  • Restrict access to static resources or validate and sanitize request paths to prevent crafted URI exploitation.

Generated by OpenCVE AI on April 18, 2026 at 05:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cphf-4846-3xx9 Vert.x Web static handler component cache can be manipulated to deny the access to static files
History

Thu, 05 Feb 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Fri, 30 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse vert.x-web
CPEs cpe:2.3:a:eclipse:vert.x-web:*:*:*:*:*:*:*:*
Vendors & Products Eclipse vert.x-web
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Sat, 17 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Eclipse
Eclipse vert.x
Eclipse vert.x Core
Eclipse Foundation
Eclipse Foundation vert.x
Vendors & Products Eclipse
Eclipse vert.x
Eclipse vert.x Core
Eclipse Foundation
Eclipse Foundation vert.x

Thu, 15 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 21:00:00 +0000

Type Values Removed Values Added
Description The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);
Title Eclipse Vert.x Web static handler file access denial
Weaknesses CWE-444
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L'}

Subscriptions

Eclipse Vert.x Vert.x-web Vert.x Core
Eclipse Foundation Vert.x
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-01-15T21:09:22.172Z

Reserved: 2026-01-15T18:23:48.276Z

Link: CVE-2026-1002

cve-icon Vulnrichment

Updated: 2026-01-15T21:08:54.986Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-15T21:16:05.640

Modified: 2026-02-05T16:50:31.073

Link: CVE-2026-1002

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-15T20:50:25Z

Links: CVE-2026-1002 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses