GHSA-rc95-pcm8-65v9

Suggest an improvement
Source
https://github.com/advisories/GHSA-rc95-pcm8-65v9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rc95-pcm8-65v9/GHSA-rc95-pcm8-65v9.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rc95-pcm8-65v9
Aliases
  • CVE-2026-39852
Downstream
Related
Published
2026-05-04T17:20:20Z
Modified
2026-05-08T15:50:35.630840Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Quarkus has Authentication/Authorization bypasses
Details

Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.

Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus's security layer performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This allows requests like /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.

Impact

This issue may lead to Authentication/Authorization bypasses.

Credits

This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T17:20:20Z",
    "cwe_ids": [
        "CWE-287",
        "CWE-863"
    ],
    "severity": "HIGH",
    "nvd_published_at": "2026-05-05T21:16:22Z"
}
References

Affected packages

Maven
io.quarkus:quarkus-vertx-http

Package

Name
io.quarkus:quarkus-vertx-http
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.20.6.1

Affected versions

0.*
0.23.0
0.23.1
0.23.2
0.24.0
0.25.0
0.26.0
0.26.1
0.27.0
0.28.0
0.28.1
1.*
1.0.0.CR1
1.0.0.CR2
1.0.0.Final
1.0.1.Final
1.1.0.CR1
1.1.0.Final
1.1.1.Final
1.2.0.CR1
1.2.0.Final
1.2.1.Final
1.3.0.Alpha1
1.3.0.Alpha2
1.3.0.CR1
1.3.0.CR2
1.3.0.Final
1.3.1.Final
1.3.2.Final
1.3.3.Final
1.3.4.Final
1.4.0.CR1
1.4.0.Final
1.4.1.Final
1.4.2.Final
1.5.0.CR1
1.5.0.Final
1.5.1.Final
1.5.2.Final
1.6.0.CR1
1.6.0.Final
1.6.1.Final
1.7.0.CR1
1.7.0.CR2
1.7.0.Final
1.7.1.Final
1.7.2.Final
1.7.3.Final
1.7.4.Final
1.7.5.Final
1.7.6.Final
1.8.0.CR1
1.8.0.Final
1.8.1.Final
1.8.2.Final
1.8.3.Final
1.9.0.CR1
1.9.0.Final
1.9.1.Final
1.9.2.Final
1.10.0.CR1
1.10.0.Final
1.10.1.Final
1.10.2.Final
1.10.3.Final
1.10.4.Final
1.10.5.Final
1.11.0.Beta1
1.11.0.Beta2
1.11.0.CR1
1.11.0.Final
1.11.1.Final
1.11.2.Final
1.11.3.Final
1.11.4.Final
1.11.5.Final
1.11.6.Final
1.11.7.Final
1.12.0.CR1
1.12.0.Final
1.12.1.Final
1.12.2.Final
1.13.0.CR1
1.13.0.Final
1.13.1.Final
1.13.2.Final
1.13.3.Final
1.13.4.Final
1.13.5.Final
1.13.6.Final
1.13.7.Final
2.*
2.0.0.Alpha1
2.0.0.Alpha2
2.0.0.Alpha3
2.0.0.CR1
2.0.0.CR2
2.0.0.CR3
2.0.0.Final
2.0.1.Final
2.0.2.Final
2.0.3.Final
2.1.0.CR1
2.1.0.Final
2.1.1.Final
2.1.2.Final
2.1.3.Final
2.1.4.Final
2.2.0.CR1
2.2.0.Final
2.2.1.Final
2.2.2.Final
2.2.3.Final
2.2.4.Final
2.2.5.Final
2.3.0.CR1
2.3.0.Final
2.3.1.Final
2.4.0.CR1
2.4.0.Final
2.4.1.Final
2.4.2.Final
2.5.0.CR1
2.5.0.Final
2.5.1.Final
2.5.2.Final
2.5.3.Final
2.5.4.Final
2.6.0.CR1
2.6.0.Final
2.6.1.Final
2.6.2.Final
2.6.3.Final
2.7.0.CR1
2.7.0.Final
2.7.1.Final
2.7.2.Final
2.7.3.Final
2.7.4.Final
2.7.5.Final
2.7.6.Final
2.7.7.Final
2.8.0.CR1
2.8.0.Final
2.8.1.Final
2.8.2.Final
2.8.3.Final
2.9.0.CR1
2.9.0.Final
2.9.1.Final
2.9.2.Final
2.10.0.CR1
2.10.0.Final
2.10.1.Final
2.10.2.Final
2.10.3.Final
2.10.4.Final
2.11.0.CR1
2.11.0.Final
2.11.1.Final
2.11.2.Final
2.11.3.Final
2.12.0.CR1
2.12.0.Final
2.12.1.Final
2.12.2.Final
2.12.3.Final
2.13.0.CR1
2.13.0.Final
2.13.1.Final
2.13.2.Final
2.13.3.Final
2.13.4.Final
2.13.5.Final
2.13.6.Final
2.13.7.Final
2.13.8.Final
2.13.9.Final
2.14.0.CR1
2.14.0.Final
2.14.1.Final
2.14.2.Final
2.14.3.Final
2.15.0.CR1
2.15.0.Final
2.15.1.Final
2.15.2.Final
2.15.3.Final
2.16.0.CR1
2.16.0.Final
2.16.1.Final
2.16.2.Final
2.16.3.Final
2.16.4.Final
2.16.5.Final
2.16.6.Final
2.16.7.Final
2.16.8.Final
2.16.9.Final
2.16.10.Final
2.16.11.Final
2.16.12.Final
3.*
3.0.0.Alpha1
3.0.0.Alpha2
3.0.0.Alpha3
3.0.0.Alpha4
3.0.0.Alpha5
3.0.0.Alpha6
3.0.0.Beta1
3.0.0.CR1
3.0.0.CR2
3.0.0.Final
3.0.1.Final
3.0.2.Final
3.0.3.Final
3.0.4.Final
3.1.0.CR1
3.1.0.Final
3.1.1.Final
3.1.2.Final
3.1.3.Final
3.2.0.CR1
3.2.0.Final
3.2.1.Final
3.2.2.Final
3.2.3.Final
3.2.4.Final
3.2.5.Final
3.2.6.Final
3.2.7.Final
3.2.8.Final
3.2.9.Final
3.2.10.Final
3.2.11.Final
3.2.12.Final
3.3.0.CR1
3.3.0
3.3.1
3.3.2
3.3.3
3.4.0.CR1
3.4.0
3.4.1
3.4.2
3.4.3
3.5.0.CR1
3.5.0
3.5.1
3.5.2
3.5.3
3.6.0.CR1
3.6.0
3.6.1
3.6.2
3.6.3
3.6.4
3.6.5
3.6.6
3.6.7
3.6.8
3.6.9
3.7.0.CR1
3.7.0
3.7.1
3.7.2
3.7.3
3.7.4
3.8.0.CR1
3.8.0
3.8.1
3.8.2
3.8.3
3.8.4
3.8.5
3.8.6
3.8.6.1
3.9.0.CR1
3.9.0.CR2
3.9.0
3.9.1
3.9.2
3.9.3
3.9.4
3.9.5
3.10.0.CR1
3.10.0
3.10.1
3.10.2
3.11.0.CR1
3.11.0
3.11.1
3.11.2
3.11.3
3.12.0.CR1
3.12.0
3.12.1
3.12.2
3.12.3
3.13.0.CR1
3.13.0
3.13.1
3.13.2
3.13.3
3.14.0.CR1
3.14.0
3.14.1
3.14.2
3.14.3
3.14.4
3.15.0.CR1
3.15.0
3.15.1
3.15.2
3.15.3
3.15.3.1
3.15.4
3.15.5
3.15.6
3.15.6.1
3.15.6.2
3.15.7
3.16.0.CR1
3.16.0
3.16.1
3.16.2
3.16.3
3.16.4
3.17.0.CR1
3.17.0
3.17.1
3.17.2
3.17.3
3.17.4
3.17.5
3.17.6
3.17.7
3.17.8
3.18.0.CR1
3.18.0
3.18.1
3.18.2
3.18.3
3.18.4
3.19.0.CR1
3.19.0
3.19.1
3.19.2
3.19.3
3.19.4
3.20.0.CR1
3.20.0
3.20.1
3.20.2
3.20.2.1
3.20.2.2
3.20.3
3.20.4
3.20.5
3.20.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rc95-pcm8-65v9/GHSA-rc95-pcm8-65v9.json"
io.quarkus:quarkus-vertx-http

Package

Name
io.quarkus:quarkus-vertx-http
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.21.0
Fixed
3.27.3.1

Affected versions

3.*
3.21.0
3.21.1
3.21.2
3.21.3
3.21.4
3.22.0.CR1
3.22.0
3.22.1
3.22.2
3.22.3
3.23.0.CR1
3.23.0
3.23.1
3.23.2
3.23.3
3.23.4
3.24.0.CR1
3.24.0
3.24.1
3.24.2
3.24.3
3.24.4
3.24.5
3.25.0.CR1
3.25.0
3.25.1
3.25.2
3.25.3
3.25.4
3.26.0.CR1
3.26.0
3.26.1
3.26.2
3.26.3
3.26.4
3.27.0.CR1
3.27.0
3.27.1
3.27.2
3.27.3

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rc95-pcm8-65v9/GHSA-rc95-pcm8-65v9.json"
io.quarkus:quarkus-vertx-http

Package

Name
io.quarkus:quarkus-vertx-http
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.30.0
Fixed
3.33.1.1

Affected versions

3.*
3.30.0
3.30.1
3.30.2
3.30.3
3.30.4
3.30.5
3.30.6
3.30.7
3.30.8
3.31.0.CR1
3.31.0
3.31.1
3.31.2
3.31.3
3.31.4
3.32.0.CR1
3.32.0
3.32.1
3.32.2
3.32.3
3.32.4
3.33.0.CR1
3.33.0
3.33.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rc95-pcm8-65v9/GHSA-rc95-pcm8-65v9.json"
io.quarkus:quarkus-vertx-http

Package

Name
io.quarkus:quarkus-vertx-http
View open source insights on deps.dev
Purl
pkg:maven/io.quarkus/quarkus-vertx-http

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.34.0
Fixed
3.35.1.1

Affected versions

3.*
3.34.0
3.34.1
3.34.2
3.34.3
3.34.4
3.34.5
3.34.6
3.34.7
3.35.0.CR1
3.35.0
3.35.1

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rc95-pcm8-65v9/GHSA-rc95-pcm8-65v9.json"