729 matches found
Security Bulletin: IBM Enterprise Build of Quarkus is affected by a vulnerability in Apache Kafka
Summary IBM Enterprise Build of Quarkus is affected by a vulnerability in Apache Kafka Vulnerability Details CVEID:CVE-2026-35554 DESCRIPTION: A race condition in the Apache Kafka Java producer client’s buffer pool management can cause messages to be silently delivered to incorrect topics. When a...
Security Bulletin: IBM Enterprise Build of Quarkus is affected by an authorization bypass vulnerability
Summary IBM Enterprise Build of Quarkus is affected by an authorization bypass vulnerability CVE-2026-39852 Vulnerability Details CVEID:CVE-2026-39852 DESCRIPTION: Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1,...
ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-metrics (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +6399 more potentially affected by CVE-2026-6860 via io.vertx:vertx-core (>=4.3.4 <=4.5.26)
io.vertx:vertx-core MAVEN version =4.3.4, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0, =0.1.0, =0.0.86, =0.0.86, =0.0.86, =def544ccef5f753238ecc4adfc2eaa7d2fc36d53-0.0.91 -...
CVE-2026-39852
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...
CVE-2026-39852 Quarkus authorization bypass via semicolon path normalization inconsistency
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...
CVE-2026-39852 Quarkus authorization bypass via semicolon path normalization inconsistency
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...
CVE-2026-39852
Summary of CVE-2026-39852 : Quarkus exposes an authorization bypass due to path normalization mismatch between the security layer and RESTEasy Reactive routing, which preserves semicolons (matrix parameters) in the raw URL while routing drops them for endpoint matching. This allows unauthenticate...
CVE-2026-39852
Quarkus is a Java framework for building cloud-native applications. In versions prior to 3.20.6.1, 3.27.3.1, 3.33.1.1, 3.35.1.1, 3.34.7, and 3.35.2, a path normalization inconsistency between the security layer and the routing layer allows unauthenticated or lower-privileged users to bypass HTTP...
Important: Red Hat Security Advisory: Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available (RHBQ 3.27.3.SP1)
An update for Red Hat Build of Apache Camel 4.14 for Quarkus 3.27 update is now available RHBQ 3.27.3.SP1. The purpose of this text-only errata is to inform you about the enhancements that improve your developer experience and ensure the security and stability of your products. Red Hat Product...
io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests
A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...
io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests
A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...
io.quarkus:quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests
A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...
Important: Red Hat Security Advisory: Red Hat build of Quarkus 3.27.3.SP1 security update
An update is now available for Red Hat build of Quarkus. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability. For more informatio...
CVE-2026-39852
A flaw was found in io.quarkus:quarkus-vertx-http. A remote attacker can exploit an authorization bypass vulnerability by including semicolons, also known as matrix parameters, in HTTP requests. This allows bypassing path-based HTTP security policies, enabling unauthorized access to protected...
Quarkus 安全漏洞
Quarkus is an open-source cloud-native Linux framework for writing Java applications. Quarkus has a security vulnerability that stems from inconsistent path normalization between the security layer and the routing layer. This vulnerability allows unauthenticated or low-privilege users to bypass...
io.quarkiverse.docling:quarkus-docling (>=0.0.1 <=0.0.4), io.quarkiverse.docling:quarkus-docling-deployment (>=0.0.1 <=0.0.4) +112 more potentially affected by CVE-2026-42333 via io.quarkiverse.openapi.generator:quarkus-openapi-generator (>=0.1.0 <=2.15.0)
io.quarkiverse.openapi.generator:quarkus-openapi-generator MAVEN version =0.1.0, =0.0.1, =0.0.1, =0.1.0, =2.10.0, =0.4.0, =2.10.0, =2.15.0 - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel =10.2.0 - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel-deployment =10.2.0 -...
io.quarkiverse.docling:quarkus-docling (>=0.0.1 <=0.0.4), io.quarkiverse.docling:quarkus-docling-deployment (>=0.0.1 <=0.0.4) +54 more potentially affected by CVE-2026-42333 via io.quarkiverse.openapi.generator:quarkus-openapi-generator (>=2.0.0 <=2.11.0)
io.quarkiverse.openapi.generator:quarkus-openapi-generator MAVEN version =2.0.0, =0.0.1, =0.0.1, =2.0.0, =2.10.0, =2.10.0, =2.11.0-lts - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel =10.2.0 - org.apache.kie.sonataflow:sonataflow-addons-quarkus-camel-deployment =10.2.0 -...
Incorrect Implementation of Authentication Algorithm
Overview Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm due to the too broad path-template matching in the runtime authentication layer. An attacker can cause sensitive authentication credentials to be sent to unintended endpoints that may...
GHSA-FR8F-RWJX-F32V quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
Summary The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected...
com.github.fmcejudo:quarkus-eureka (>=1.0.0 <=1.1.1), com.github.fmcejudo:quarkus-eureka-deployment (>=1.0.0 <=1.1.1) +70 more potentially affected by CVE-2026-39852 via io.quarkus:quarkus-undertow (>=3.0.0.Alpha1 <=3.20.6)
io.quarkus:quarkus-undertow MAVEN version =3.0.0.Alpha1, =1.0.0, =1.0.0, =2.0.0-alpha1, =24.4.0, =24.4.0, =2.0.0-alpha1, =24.4.0, =24.4.0, =2.0.0, =2.0.0, =24.0.0, =24.8.3, =9.2.3, =0.23.0, =0.11.2, =0.24.5 and more Source cves: CVE-2026-39852 Source advisory: SNYK:JAVA-IOQUARKUS-16420253...