CVE-2026-50559
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk36th percentile - higher than 36% of all known CVEs
Summary
In Quarkus, a Java framework for building cloud-native applications, a vulnerability allows bypassing HTTP path-based authorization policies. Attackers can use encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and encoded slashes (%2F) or backslashes (%5C) to access protected static resources.
Risk Assessment
The risk involves bypassing access control mechanisms and gaining unauthorized access to protected application resources, potentially leading to data leakage or system integrity compromise.
Recommendation
Immediately update Quarkus to one of the patched versions: 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, or 3.20.6.2.
Original NVD description (English source)
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.

