CVE-2026-39852 - Quarkus matrix-parameter authorization bypass

Quarkus had a path-normalization mismatch between HTTP authorization and RESTEasy Reactive routing. The security layer evaluated the raw request path, including semicolon matrix parameters, while the routing layer stripped those parameters before dispatching to the endpoint.

An unauthenticated or lower-privileged caller could request a protected route with a semicolon suffix, such as /api/admin;anything, and have the request route to /api/admin without matching the intended path-based authorization rule. The highest-risk applications are those that use path policies for admin APIs, tenant controls, workflow promotion, connector enablement, or internal agent-control endpoints.

When to use it

  • A repository builds, deploys, or packages Quarkus applications on affected quarkus-vertx-http or platform streams.
  • Protected APIs rely on path-based authorization rules, gateway path policy, generated config, or route matchers.
  • Sensitive routes include admin, tenant, billing, connector, workflow, secrets, export, or agent-control endpoints.
  • You need a bounded PR or triage note that upgrades Quarkus and proves semicolon/matrix-parameter variants cannot bypass authorization.

Inputs

  • Maven/Gradle manifests, BOM pins, locks, Quarkus config, resource routes, gateway/ingress policy, Dockerfiles, images, generated manifests, SBOMs, and dependency reports.
  • Protected route inventory, path-based auth rules, method-level annotations, matrix/encoded-semicolon handling, gateway normalization, access logs, and rollout owners.
  • Available dependency resolution, authz tests, integration tests, gateway render checks, container build, SBOM, and dependency/security scans.

Affected versions

Patch the Quarkus stream the application actually runs.

Package Vulnerable versions Fixed versions
io.quarkus:quarkus-vertx-http / Quarkus platform <3.20.6.1; >=3.21.0, <3.27.3.1; >=3.28.0, <3.33.1.1; >=3.34.0, <3.34.7; >=3.35.0, <3.35.2 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.34.7, 3.35.2

Indicator-of-exposure

  • The repository builds, deploys, or packages a Quarkus application using an affected version of quarkus-vertx-http or the Quarkus platform.
  • The application uses path-based authorization through quarkus.http.auth.* policy rules, route matchers, generated deployment config, gateway policy, or framework middleware.
  • Protected paths include admin APIs, tenant configuration, billing controls, connector approval, agent tool enablement, secrets, data export, or workflow promotion.
  • RESTEasy Reactive routes are exposed to untrusted HTTP clients.

Quick checks:

rg -n "io.quarkus|quarkus-vertx-http|quarkus.platform|quarkus.http.auth|@RolesAllowed|@PermissionsAllowed|@Path\\(" .
mvn dependency:tree -Dincludes=io.quarkus
./mvnw dependency:tree -Dincludes=io.quarkus
rg -n "quarkus\\.http\\.auth\\..*paths|roles-allowed|permissions-allowed|/admin|/internal|/tenant|/connectors|/agents" src config deploy charts .

Remediation strategy

  • Upgrade every affected Quarkus application to the fixed release for its supported stream. Do not jump streams unless the repository already owns that migration risk.
  • Regenerate Maven/Gradle locks, platform BOM pins, container images, SBOMs, deployment render output, and dependency reports.
  • Add negative tests for semicolon and encoded-semicolon variants against the most sensitive protected routes.
  • Prefer annotation or code-level authorization on sensitive resource methods where path policy alone would be too easy to drift.
  • Review gateway and WAF normalization behavior so upstream path rewrites do not mask coverage gaps in application tests.

The prompt

You are remediating CVE-2026-39852 (Quarkus matrix-parameter authorization
bypass). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades affected Quarkus packages,
  adds authorization regression tests, refreshes generated artifacts, and
  documents operator checks, or
- TRIAGE.md if this repository does not own an affected Quarkus application or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-39852 and directly related Quarkus authorization tests.
- Do not weaken route authorization, role checks, tenant checks, gateway
  policy, or authentication middleware to preserve compatibility.
- Do not run exploit traffic against production or shared customer
  environments.
- Do not log tokens, cookies, tenant IDs, request bodies, secrets, or customer
  data while adding route tests.
- Do not auto-merge.

## Steps

1. Inventory every Quarkus application, module, container image, generated
   deployment artifact, SBOM, and dependency report controlled by this
   repository.
2. Determine the resolved Quarkus and `quarkus-vertx-http` versions for each
   deployable target. A target is vulnerable if it resolves to:
   - `<3.20.6.1`;
   - `>=3.21.0, <3.27.3.1`;
   - `>=3.28.0, <3.33.1.1`;
   - `>=3.34.0, <3.34.7`;
   - `>=3.35.0, <3.35.2`.
3. Search for path-based authorization rules and sensitive route patterns:
   `quarkus.http.auth.*`, `roles-allowed`, `permissions-allowed`, `@Path`,
   `@RolesAllowed`, `@PermissionsAllowed`, gateway path rules, and route
   aliases for admin, tenant, connector, agent, billing, export, or secrets
   paths.
4. Upgrade affected Quarkus dependencies to the fixed release on the current
   supported stream. Regenerate package locks, BOM pins, SBOMs, images,
   generated manifests, and dependency reports controlled by the repo.
5. Add tests that prove protected endpoints still deny lower-privileged and
   unauthenticated callers when the request path contains:
   - `;anything` after the protected route;
   - semicolon parameters before nested path segments;
   - URL-encoded semicolon variants where the framework or gateway decodes
     them before routing.
6. For the highest-risk routes, add or preserve resource-method authorization
   annotations or explicit policy checks so path configuration is not the only
   enforcement point.
7. Add a PR body section named `CVE-2026-39852 operator actions` that states:
   - Quarkus versions before and after;
   - protected routes tested;
   - generated artifacts refreshed;
   - whether any gateway or ingress path-normalization rules need deployment;
   - which access logs should be reviewed for semicolon requests during the
     vulnerable window.
8. Run the relevant validation: Maven/Gradle dependency resolution,
   authorization tests, integration tests, gateway render checks, lint,
   container build, SBOM refresh, and dependency/security scans available in
   this repository.
9. Use PR title:
   `fix(sec): remediate CVE-2026-39852 in Quarkus routing authz`.

## Stop conditions

- No Quarkus application or deployable Quarkus artifact is controlled here.
- All controlled Quarkus targets already resolve fixed versions and generated
  deployment artifacts are current.
- The package upgrade requires a broader stream migration that this repository
  cannot safely own; document the owner, target fixed stream, and temporary
  gateway containment.
- Authorization tests require production credentials, live tenant data, or
  customer traffic.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled manifest, lockfile, image, SBOM, or deployment target resolves an affected Quarkus version.
  • Negative authorization tests include semicolon path variants for sensitive protected routes.
  • Sensitive routes retain explicit role, permission, tenant, or policy checks.
  • Generated artifacts and dependency reports are refreshed.
  • The PR names any log review or gateway deployment action needed for runtime closure.

Output contract

  • Reviewer-ready PR upgrading affected Quarkus targets on their current supported streams with refreshed BOM pins, locks, images, manifests, SBOMs, and reports.
  • Negative authorization tests for ;anything, nested matrix parameters, and encoded semicolon variants on sensitive routes.
  • Method-level or explicit policy checks preserved or added for highest-risk resources where path policy alone is brittle.
  • TRIAGE.md when Quarkus runtime ownership, stream migration, gateway containment, or generated deployment artifacts are outside this repository.

Watch for

  • Updating the Maven BOM but leaving a Docker image, generated deployment manifest, or SBOM pinned to an older Quarkus layer.
  • Tests that cover /api/admin but not /api/admin;anything.
  • Gateway normalization that strips semicolons before test traffic reaches the application, hiding whether the application patch is actually deployed.
  • Admin or agent-control routes that rely only on broad path policies instead of method-level authorization.

References