CVE-2026-50559
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, an
CVSS
7.5
Alto
EPSS
0.5%
p37
KEV
—
Exploit Today
11
0-100
Publicado: 19 jun 2026 · Última mod.: 15 jul 2026 · CWE-287 · CWE-863 · CWE-551
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
- github.comhttps://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26017
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26018
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26194
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26586
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:34608
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:36820
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-50559
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2486959
- security.access.redhat.comhttps://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50559.json