CVE-2026-39852

Name of the Vulnerable Software and Affected Versions Quarkus version 3.32.4

Description An authorization bypass exists where semicolons used as matrix parameters in HTTP requests can circumvent security constraints, potentially granting unauthorized access to protected resources. Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. This occurs due to a path-normalization inconsistency: the security layer performs authorization checks on the raw URL path, while the RESTEasy Reactive routing layer strips matrix parameters before matching endpoints. Consequently, a request to an endpoint like "/api/admin;anything" may bypass policies protecting "/api/admin" while still being routed to that protected endpoint.

Recommendations Update Quarkus version 3.32.4 to a patched version.