Impact
CVE-2026-50559 describes a flaw in Quarkus versions prior to 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 where HTTP path‑based authorization policies can be bypassed by employing encoded semicolons (%3B) to smuggle matrix parameters past the security layer, or by using encoded slashes (%2F) or backslashes (%5C) to access protected static resources that should otherwise be restricted. The bypass enables an attacker to reach resources that are not intended to be public, effectively gaining unauthorized access to sensitive data. This issue is distinct from CVE‑2026‑39852, which addressed only literal semicolon stripping.
Affected Systems
Affected products include Quarkus versions 3.20, 3.27 and 3.33 running on Red Hat Enterprise Linux 8, as well as Apache Camel Quarkus 3.33. All installations that rely on Quarkus' vertx‑http module and enforce path‑based access controls are susceptible when they employ encoded characters in URLs.
Risk and Exploitability
The vulnerability carries a CVSS score of 7.5, indicating high severity and a remote attack vector that requires network access. EPSS is not available, and the issue is not listed in CISA's KEV catalog, but the lack of the score does not imply low risk; attackers can readily construct the exploit in a web application that depends on the affected Quarkus version. Because the flaw affects authorization checks rather than authentication, typical intrusion detection systems may not flag the activity, making mitigation especially important.
OpenCVE Enrichment