{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/quarkus-vertx-http--3.20.6.1/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Quarkus Vertx HTTP (\u003c 3.20.6.1)","Quarkus Vertx HTTP (\u003e= 3.21.0, \u003c 3.27.3.1)","Quarkus Vertx HTTP (\u003e= 3.30.0, \u003c 3.33.1.1)","Quarkus Vertx HTTP (\u003e= 3.34.0, \u003c 3.35.1.1)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","authorization-bypass","web-application"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eA vulnerability exists in Quarkus Vertx HTTP versions \u0026lt; 3.20.6.1, \u0026gt;= 3.21.0 and \u0026lt; 3.27.3.1, \u0026gt;= 3.30.0 and \u0026lt; 3.33.1.1, and \u0026gt;= 3.34.0 and \u0026lt; 3.35.1.1. The vulnerability, designated as CVE-2026-39852, allows unauthenticated or lower-privileged users to bypass HTTP path-based authorization policies. By appending a semicolon (\u003ccode\u003e;\u003c/code\u003e) and arbitrary text to the request URL, attackers can gain unauthorized access to protected resources. This vulnerability stems from an inconsistency in path normalization: Quarkus\u0026rsquo;s security layer checks the raw URL path, while RESTEasy Reactive\u0026rsquo;s routing layer strips matrix parameters before matching endpoints. This means a request like \u003ccode\u003e/api/admin;anything\u003c/code\u003e can bypass authorization for \u003ccode\u003e/api/admin\u003c/code\u003e while still routing to the protected endpoint. This issue was discovered and verified by the GitHub Security Lab.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a protected endpoint, such as \u003ccode\u003e/api/admin\u003c/code\u003e, that requires authentication or specific privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the protected endpoint but appends a semicolon and arbitrary text, such as \u003ccode\u003e/api/admin;anything\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request is sent to the Quarkus Vertx HTTP server.\u003c/li\u003e\n\u003cli\u003eQuarkus\u0026rsquo;s security layer performs an authorization check on the raw URL path \u003ccode\u003e/api/admin;anything\u003c/code\u003e, which may not match the intended authorization rules for \u003ccode\u003e/api/admin\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eRESTEasy Reactive\u0026rsquo;s routing layer strips the matrix parameters (\u003ccode\u003e;anything\u003c/code\u003e) from the URL, resulting in the endpoint \u003ccode\u003e/api/admin\u003c/code\u003e being matched.\u003c/li\u003e\n\u003cli\u003eThe request is routed to the protected endpoint \u003ccode\u003e/api/admin\u003c/code\u003e, bypassing the intended authorization checks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the protected resource or functionality.\u003c/li\u003e\n\u003cli\u003eThe attacker performs actions they would not normally be authorized to perform, such as accessing sensitive data or modifying system configurations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to unauthorized access to sensitive data, modification of system configurations, or other malicious activities. The vulnerability affects Quarkus Vertx HTTP applications that rely on path-based authorization policies. The number of affected applications is currently unknown, but any application using the vulnerable versions of Quarkus Vertx HTTP is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Quarkus Vertx HTTP to a patched version (\u0026gt;= 3.20.6.1, \u0026gt;= 3.27.3.1, \u0026gt;= 3.33.1.1, \u0026gt;= 3.35.1.1) to remediate CVE-2026-39852.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Quarkus Authorization Bypass Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing semicolons in the URL path to detect potential exploitation attempts using the \u003ccode\u003eMonitor Semicolons in URL Path\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-04T17:20:20Z","date_published":"2026-05-04T17:20:20Z","id":"/briefs/2026-05-quarkus-auth-bypass/","summary":"Quarkus Vertx HTTP versions \u003c 3.20.6.1, \u003e= 3.21.0 and \u003c 3.27.3.1, \u003e= 3.30.0 and \u003c 3.33.1.1, and \u003e= 3.34.0 and \u003c 3.35.1.1 are vulnerable to an authorization bypass where appending a semicolon and arbitrary text to the request URL allows unauthorized access to protected resources.","title":"Quarkus Vertx HTTP Authorization Bypass via Matrix Parameters","url":"https://feed.craftedsignal.io/briefs/2026-05-quarkus-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Quarkus Vertx HTTP (\u003c 3.20.6.1)","version":"https://jsonfeed.org/version/1.1"}