Quarkus version 3.32.4 is vulnerable to an authorization bypass issue (GHSL-2026-099), in which semicolons (matrix parameters) in HTTP requests can be used to bypass security constraints, potentially allowing unauthorized access to protected resources.
Unauthenticated or lower-privileged users can bypass HTTP path-based authorization policies by appending a semicolon (;) and arbitrary text to the request URL. The vulnerability arises from a path-normalization inconsistency: Quarkus's security layer performs authorization checks on the raw URL path (which preserves matrix parameters), whereas RESTEasy Reactive's routing layer strips matrix parameters before matching endpoints. This allows requests like /api/admin;anything to bypass policies protecting /api/admin while still routing to the protected endpoint.
This issue may lead to Authentication/Authorization bypasses.
This issue was discovered with the GitHub Security Lab Taskflow Agent and manually verified by GHSL team members @p- (Peter Stöckli) and @m-y-mo (Man Yue Mo).
| Score | Percentile |
|---|---|
| 0.03% | 9.22% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 8.2 | 3.1 | — |
|
| 8.8 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-rc95-pcm8-65v9 ↗ |
| CVE | CVE-2026-39852 ↗ |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| maven | io.quarkus:quarkus-vertx-http | < 3.20.6.1 | 3.20.6.1 | — |
| maven | io.quarkus:quarkus-vertx-http | >= 3.21.0, < 3.27.3.1 | 3.27.3.1 | — |
| maven | io.quarkus:quarkus-vertx-http | >= 3.30.0, < 3.33.1.1 | 3.33.1.1 | — |
| maven | io.quarkus:quarkus-vertx-http | >= 3.34.0, < 3.35.1.1 | 3.35.1.1 | — |