CVE-2026-39852 - Quarkus matrix-parameter authorization bypass
Quarkus had a path-normalization mismatch between HTTP authorization and RESTEasy Reactive routing. The security layer evaluated the raw request path, including semicolon matrix parameters, while the routing layer stripped those parameters before dispatching to the endpoint.
An unauthenticated or lower-privileged caller could request a protected route
with a semicolon suffix, such as /api/admin;anything, and have the request
route to /api/admin without matching the intended path-based authorization
rule. The highest-risk applications are those that use path policies for admin
APIs, tenant controls, workflow promotion, connector enablement, or internal
agent-control endpoints.
When to use it
- A repository builds, deploys, or packages Quarkus applications on affected
quarkus-vertx-httpor platform streams. - Protected APIs rely on path-based authorization rules, gateway path policy, generated config, or route matchers.
- Sensitive routes include admin, tenant, billing, connector, workflow, secrets, export, or agent-control endpoints.
- You need a bounded PR or triage note that upgrades Quarkus and proves semicolon/matrix-parameter variants cannot bypass authorization.
Inputs
- Maven/Gradle manifests, BOM pins, locks, Quarkus config, resource routes, gateway/ingress policy, Dockerfiles, images, generated manifests, SBOMs, and dependency reports.
- Protected route inventory, path-based auth rules, method-level annotations, matrix/encoded-semicolon handling, gateway normalization, access logs, and rollout owners.
- Available dependency resolution, authz tests, integration tests, gateway render checks, container build, SBOM, and dependency/security scans.
Affected versions
Patch the Quarkus stream the application actually runs.
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
io.quarkus:quarkus-vertx-http / Quarkus platform |
<3.20.6.1; >=3.21.0, <3.27.3.1; >=3.28.0, <3.33.1.1; >=3.34.0, <3.34.7; >=3.35.0, <3.35.2 |
3.20.6.1, 3.27.3.1, 3.33.1.1, 3.34.7, 3.35.2 |
Indicator-of-exposure
- The repository builds, deploys, or packages a Quarkus application using an
affected version of
quarkus-vertx-httpor the Quarkus platform. - The application uses path-based authorization through
quarkus.http.auth.*policy rules, route matchers, generated deployment config, gateway policy, or framework middleware. - Protected paths include admin APIs, tenant configuration, billing controls, connector approval, agent tool enablement, secrets, data export, or workflow promotion.
- RESTEasy Reactive routes are exposed to untrusted HTTP clients.
Quick checks:
rg -n "io.quarkus|quarkus-vertx-http|quarkus.platform|quarkus.http.auth|@RolesAllowed|@PermissionsAllowed|@Path\\(" .
mvn dependency:tree -Dincludes=io.quarkus
./mvnw dependency:tree -Dincludes=io.quarkus
rg -n "quarkus\\.http\\.auth\\..*paths|roles-allowed|permissions-allowed|/admin|/internal|/tenant|/connectors|/agents" src config deploy charts .
Remediation strategy
- Upgrade every affected Quarkus application to the fixed release for its supported stream. Do not jump streams unless the repository already owns that migration risk.
- Regenerate Maven/Gradle locks, platform BOM pins, container images, SBOMs, deployment render output, and dependency reports.
- Add negative tests for semicolon and encoded-semicolon variants against the most sensitive protected routes.
- Prefer annotation or code-level authorization on sensitive resource methods where path policy alone would be too easy to drift.
- Review gateway and WAF normalization behavior so upstream path rewrites do not mask coverage gaps in application tests.
The prompt
You are remediating CVE-2026-39852 (Quarkus matrix-parameter authorization
bypass). Produce exactly one output:
- A reviewer-ready PR/change request that upgrades affected Quarkus packages,
adds authorization regression tests, refreshes generated artifacts, and
documents operator checks, or
- TRIAGE.md if this repository does not own an affected Quarkus application or
cannot make a safe patch.
## Rules
- Scope only CVE-2026-39852 and directly related Quarkus authorization tests.
- Do not weaken route authorization, role checks, tenant checks, gateway
policy, or authentication middleware to preserve compatibility.
- Do not run exploit traffic against production or shared customer
environments.
- Do not log tokens, cookies, tenant IDs, request bodies, secrets, or customer
data while adding route tests.
- Do not auto-merge.
## Steps
1. Inventory every Quarkus application, module, container image, generated
deployment artifact, SBOM, and dependency report controlled by this
repository.
2. Determine the resolved Quarkus and `quarkus-vertx-http` versions for each
deployable target. A target is vulnerable if it resolves to:
- `<3.20.6.1`;
- `>=3.21.0, <3.27.3.1`;
- `>=3.28.0, <3.33.1.1`;
- `>=3.34.0, <3.34.7`;
- `>=3.35.0, <3.35.2`.
3. Search for path-based authorization rules and sensitive route patterns:
`quarkus.http.auth.*`, `roles-allowed`, `permissions-allowed`, `@Path`,
`@RolesAllowed`, `@PermissionsAllowed`, gateway path rules, and route
aliases for admin, tenant, connector, agent, billing, export, or secrets
paths.
4. Upgrade affected Quarkus dependencies to the fixed release on the current
supported stream. Regenerate package locks, BOM pins, SBOMs, images,
generated manifests, and dependency reports controlled by the repo.
5. Add tests that prove protected endpoints still deny lower-privileged and
unauthenticated callers when the request path contains:
- `;anything` after the protected route;
- semicolon parameters before nested path segments;
- URL-encoded semicolon variants where the framework or gateway decodes
them before routing.
6. For the highest-risk routes, add or preserve resource-method authorization
annotations or explicit policy checks so path configuration is not the only
enforcement point.
7. Add a PR body section named `CVE-2026-39852 operator actions` that states:
- Quarkus versions before and after;
- protected routes tested;
- generated artifacts refreshed;
- whether any gateway or ingress path-normalization rules need deployment;
- which access logs should be reviewed for semicolon requests during the
vulnerable window.
8. Run the relevant validation: Maven/Gradle dependency resolution,
authorization tests, integration tests, gateway render checks, lint,
container build, SBOM refresh, and dependency/security scans available in
this repository.
9. Use PR title:
`fix(sec): remediate CVE-2026-39852 in Quarkus routing authz`.
## Stop conditions
- No Quarkus application or deployable Quarkus artifact is controlled here.
- All controlled Quarkus targets already resolve fixed versions and generated
deployment artifacts are current.
- The package upgrade requires a broader stream migration that this repository
cannot safely own; document the owner, target fixed stream, and temporary
gateway containment.
- Authorization tests require production credentials, live tenant data, or
customer traffic.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Verification - what the reviewer looks for
- No controlled manifest, lockfile, image, SBOM, or deployment target resolves an affected Quarkus version.
- Negative authorization tests include semicolon path variants for sensitive protected routes.
- Sensitive routes retain explicit role, permission, tenant, or policy checks.
- Generated artifacts and dependency reports are refreshed.
- The PR names any log review or gateway deployment action needed for runtime closure.
Output contract
- Reviewer-ready PR upgrading affected Quarkus targets on their current supported streams with refreshed BOM pins, locks, images, manifests, SBOMs, and reports.
- Negative authorization tests for
;anything, nested matrix parameters, and encoded semicolon variants on sensitive routes. - Method-level or explicit policy checks preserved or added for highest-risk resources where path policy alone is brittle.
TRIAGE.mdwhen Quarkus runtime ownership, stream migration, gateway containment, or generated deployment artifacts are outside this repository.
Watch for
- Updating the Maven BOM but leaving a Docker image, generated deployment manifest, or SBOM pinned to an older Quarkus layer.
- Tests that cover
/api/adminbut not/api/admin;anything. - Gateway normalization that strips semicolons before test traffic reaches the application, hiding whether the application patch is actually deployed.
- Admin or agent-control routes that rely only on broad path policies instead of method-level authorization.
Related recipes
- CVE-2026-40181 React Router protocol-relative open redirect
- Critical infrastructure secure context
- CVE intelligence intake gate
References
- GitHub Advisory: https://github.com/advisories/GHSA-rc95-pcm8-65v9
- Quarkus advisory: https://github.com/quarkusio/quarkus/security/advisories/GHSA-rc95-pcm8-65v9
- Quarkus release note: https://quarkus.io/blog/CVE-2026-39852/
- NVD CVE: https://nvd.nist.gov/vuln/detail/CVE-2026-39852