{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-50559","assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","state":"PUBLISHED","assignerShortName":"GitHub_M","dateReserved":"2026-06-04T21:34:34.426Z","datePublished":"2026-06-19T20:26:39.322Z","dateUpdated":"2026-07-09T12:09:55.739Z"},"containers":{"cna":{"title":"Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities","problemTypes":[{"descriptions":[{"cweId":"CWE-287","lang":"en","description":"CWE-287: Improper Authentication","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-863","lang":"en","description":"CWE-863: Incorrect Authorization","type":"CWE"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"name":"https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v","tags":["x_refsource_CONFIRM"],"url":"https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v"}],"affected":[{"vendor":"quarkusio","product":"quarkus","versions":[{"version":">= 3.36.0, < 3.36.3","status":"affected"},{"version":">= 3.33.0, < 3.33.2.1","status":"affected"},{"version":">= 3.27.0, < 3.27.4.1","status":"affected"},{"version":"< 3.20.6.2","status":"affected"}]}],"providerMetadata":{"orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M","dateUpdated":"2026-06-19T20:26:39.322Z"},"descriptions":[{"lang":"en","value":"Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch."}],"source":{"advisory":"GHSA-qcxp-gm7m-4j5v","discovery":"UNKNOWN"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-22T17:29:52.634980Z","id":"CVE-2026-50559","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-22T18:13:41.983Z"}},{"affected":[{"cpes":["cpe:/a:redhat:apache_camel_quarkus:3.33"],"defaultStatus":"affected","product":"Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_devspaces:3.29::el9"],"defaultStatus":"affected","product":"Red Hat OpenShift Dev Spaces 3.29","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quarkus:3.20::el8"],"defaultStatus":"affected","product":"Red Hat build of Quarkus 3.20.6.SP2","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quarkus:3.27::el8"],"defaultStatus":"affected","product":"Red Hat build of Quarkus 3.27.4.SP1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:quarkus:3.33::el8"],"defaultStatus":"affected","product":"Red Hat build of Quarkus 3.33.2.SP1","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:2.9::el9"],"defaultStatus":"affected","product":"Streams for Apache Kafka 2.9.4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:cryostat:4"],"defaultStatus":"affected","product":"Cryostat 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:serverless:1"],"defaultStatus":"affected","product":"OpenShift Serverless","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apache_camel_hawtio:4"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel - HawtIO 4","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:camel_quarkus:3"],"defaultStatus":"affected","product":"Red Hat build of Apache Camel 4 for Quarkus 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:apicurio_registry:3"],"defaultStatus":"affected","product":"Red Hat build of Apicurio Registry 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:debezium:3"],"defaultStatus":"affected","product":"Red Hat build of Debezium 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jboss_fuse:7"],"defaultStatus":"affected","product":"Red Hat Fuse 7","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:jbosseapxp"],"defaultStatus":"affected","product":"Red Hat JBoss Enterprise Application Platform Expansion Pack","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:openshift_ai"],"defaultStatus":"affected","product":"Red Hat OpenShift AI (RHOAI)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:amq_streams:3"],"defaultStatus":"affected","product":"streams for Apache Kafka 3","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:build_keycloak:"],"defaultStatus":"unaffected","product":"Red Hat Build of Keycloak","vendor":"Red Hat"}],"datePublic":"2026-06-17T00:00:00.000Z","descriptions":[{"lang":"en","value":"A flaw was found in Quarkus. A remote attacker could bypass HTTP path-based authorization policies by using specially crafted encoded semicolons, slashes, or backslashes in HTTP requests. This could allow unauthorized access to protected static resources, leading to information disclosure."}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-551","description":"Incorrect Behavior Order: Authorization Before Parsing and Canonicalization","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-50559"},{"name":"RHBZ#2486959","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2486959"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50559.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26586"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:36820"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26194"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26018"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26017"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:34608"}],"solutions":[{"lang":"en","value":"RHSA-2026:26586: Red Hat Build of Apache Camel 3.33 for Quarkus 3.33.2.SP1"},{"lang":"en","value":"RHSA-2026:36820: Red Hat OpenShift Dev Spaces 3.29"},{"lang":"en","value":"RHSA-2026:26194: Red Hat build of Quarkus 3.20.6.SP2"},{"lang":"en","value":"RHSA-2026:26018: Red Hat build of Quarkus 3.27.4.SP1"},{"lang":"en","value":"RHSA-2026:26017: Red Hat build of Quarkus 3.33.2.SP1"},{"lang":"en","value":"RHSA-2026:34608: Streams for Apache Kafka 2.9.4"}],"timeline":[{"lang":"en","time":"2026-06-09T10:55:32.426Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-17T00:00:00.000Z","value":"Made public."}],"title":"io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters","workarounds":[{"lang":"en","value":"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-07-09T12:09:55.739Z"}}]}}