Description
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.
Published: 2026-05-09
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability originates from an overly broad path‑parameter matching algorithm used by Quarkus OpenAPI Generator when deciding whether to attach an authentication filter. As a result, credentials such as bearer tokens, API keys, or HTTP basic authentication are added to requests that target endpoints whose paths only partially resemble the configured protected path template. This behavior can expose credentials to endpoints that were not intended to receive them, potentially allowing an attacker to gather or misuse authentication information.

Affected Systems

Organizations that use the quarkiverse:quarkus-openapi-generator extension to generate REST client or server code are affected. All versions of the extension prior to 2.11.1‑lts, 2.16.0‑lts, and 2.17.0 contain the flaw, while the patched releases address the issue.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.3, indicating moderate severity. While no exploit score is available and it is not listed in the CISA KEV catalog, the flaw could be leveraged by anyone who controls or reacts to the generated client or server stubs, such as during CI/CD pipelines or API documentation publishing. An attacker who forces a client to send authentication headers to unintended endpoints could obtain credentials or execute unauthorized actions on those endpoints.

Generated by OpenCVE AI on May 9, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade quarkiverse:quarkus-openapi-generator to version 2.11.1‑lts or later (including 2.16.0‑lts and 2.17.0).
  • Regenerate all REST client and server stubs using the updated extension to apply the fixed path‑matching logic.
  • Re‑deploy the application ensuring the new stubs are in use, removing any cached or older generated code.
  • Perform functional tests to confirm that authentication headers are only attached to the intended protected endpoints.
  • Review or re‑implement any custom path‑pattern logic in your application that may bypass the fixed matching to avoid regression.

Generated by OpenCVE AI on May 9, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fr8f-rwjx-f32v quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
History

Sat, 09 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Quarkiverse
Quarkiverse quarkus-openapi-generator
Vendors & Products Quarkiverse
Quarkiverse quarkus-openapi-generator

Sat, 09 May 2026 19:45:00 +0000

Type Values Removed Values Added
Description Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.
Title quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Quarkiverse Quarkus-openapi-generator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:16:19.873Z

Reserved: 2026-04-26T13:26:14.514Z

Link: CVE-2026-42333

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:28.780

Modified: 2026-05-09T20:16:28.780

Link: CVE-2026-42333

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:00:12Z

Weaknesses