CVE-2026-39852
highCVSS v3 Base Score
8.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score
0.0%
Exploitation probability in 30 days
Top 97% most likely to be exploited
Attack Characteristics
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Confidentiality
None
Integrity
Low
Availability
High
Published: May 4, 2026 (67 days ago)
Last Modified: May 4, 2026
Vendor: Red Hat
Fix Available: ✓ Yes
Source: REDHAT
Vulnerability Report
Generated by CyberWatcher
Description
A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected endpoints. The vulnerability arises because Quarkus's security layer performs authorization checks on the raw URL path, which preserves these matrix parameters.
CWE
CWE-551Affected Products
OpenShift ServerlessRed Hat build of Apache Camel 4 for Quarkus 3Red Hat build of Apache Camel - HawtIO 4Red Hat build of Apicurio Registry 2Red Hat build of Apicurio Registry 3Red Hat build of Debezium 3Red Hat Build of KeycloakRed Hat build of OptaPlanner 8Red Hat Fuse 7Red Hat JBoss Enterprise Application Platform Expansion Pack