Description
A flaw was found in Quarkus. A remote attacker could bypass HTTP path-based authorization policies by using specially crafted encoded semicolons, slashes, or backslashes in HTTP requests. This could allow unauthorized access to protected static resources, leading to information disclosure.
Published: n/a
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw exists in Quarkus that lets a remote attacker send specially crafted HTTP requests containing encoded semicolons, slashes, or backslashes. The encoded characters are mis‑parsed by the framework, allowing an attacker to bypass HTTP path‑based authorization policies and access protected static resources that should otherwise be restricted. The result can be uncontrolled disclosure of sensitive data, classified under CWE‑551.

Affected Systems

Affected products include Quarkus versions 3.20, 3.27 and 3.33 running on Red Hat Enterprise Linux 8, as well as Apache Camel Quarkus 3.33. All installations that rely on Quarkus' vertx‑http module and enforce path‑based access controls are susceptible when they employ encoded characters in URLs.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.5, indicating high severity and a remote attack vector that requires network access. EPSS is not available, and the issue is not listed in CISA's KEV catalog, but the lack of the score does not imply low risk; attackers can readily construct the exploit in a web application that depends on the affected Quarkus version. Because the flaw affects authorization checks rather than authentication, typical intrusion detection systems may not flag the activity, making mitigation especially important.

Generated by OpenCVE AI on June 18, 2026 at 18:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Quarkus release that contains the fix for the encoded character bypass.
  • Modify request handling to reject or properly decode encoded semicolons, slashes, and backslashes in URL paths before authorization evaluation.
  • Review and tighten HTTP path‑based policies to enforce strict validation of static resource URLs and ensure that only allowed paths are exposed.

Generated by OpenCVE AI on June 18, 2026 at 18:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Quarkus. A remote attacker could bypass HTTP path-based authorization policies by using specially crafted encoded semicolons, slashes, or backslashes in HTTP requests. This could allow unauthorized access to protected static resources, leading to information disclosure.
Title io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters
First Time appeared Redhat
Redhat apache Camel Quarkus
Redhat quarkus
Weaknesses CWE-551
CPEs cpe:/a:redhat:apache_camel_quarkus:3.33
cpe:/a:redhat:quarkus:3.20::el8
cpe:/a:redhat:quarkus:3.27::el8
cpe:/a:redhat:quarkus:3.33::el8
Vendors & Products Redhat
Redhat apache Camel Quarkus
Redhat quarkus
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Important

Subscriptions

Redhat Apache Camel Quarkus Quarkus
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-06-17T00:00:00Z

Links: CVE-2026-50559 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:00:11Z

Weaknesses
  • CWE-551

    Incorrect Behavior Order: Authorization Before Parsing and Canonicalization