CVE-2026-50559: Authentication/Authorization Bypass via Advanced Path Normalization Vulnerabilities
Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
Security readout for executives and security teams
Plain-English summary
Quarkus applications using HTTP path-based authorization may let unauthenticated users reach content that should be protected. The issue comes from inconsistent path normalization before authorization checks. The stated impact is confidentiality loss, not integrity or availability. Patched Quarkus releases are available.
Executive priority
Treat as high priority for externally reachable Quarkus services or systems exposing sensitive data. Prioritize patching over compensating controls because the flaw is in authorization path handling.
Technical view
Before the listed fixed releases, Quarkus authorization checks could be bypassed with specially encoded path characters that affected matrix-parameter handling and protected static resource access. The issue is separate from CVE-2026-39852, which covered only literal semicolon stripping. CVSS 3.1 is 7.5, network reachable, low complexity, no privileges, no user interaction.
Likely exposure
Most relevant to Java services built on affected Quarkus 3.x versions that rely on HTTP path-based authorization policies or serve protected static resources. Internet-facing services increase business urgency.
Exploitation context
The bundle does not show CISA KEV listing or confirmed active exploitation. The vulnerability is still practical to prioritize because it is network reachable, unauthenticated, low complexity, and affects access control.
Researcher notes
Focus review on normalization consistency between routing, security policy evaluation, and static resource serving. Evidence provided identifies affected version ranges and fixed versions, but does not include exploit telemetry or broader affected product claims beyond Quarkus and listed Red Hat advisories.
Mitigation direction
Upgrade Quarkus to one of the fixed versions listed in the advisory.
Apply relevant Red Hat errata where Quarkus is consumed through Red Hat products.
Review vendor guidance for product-specific packaging, backports, and support status.
Reassess path-based authorization rules protecting sensitive endpoints and static resources.
Validation and detection
Inventory Quarkus versions across applications and build manifests.
Flag versions in the affected ranges listed by the CVE source bundle.
Confirm production deployments run a fixed or vendor-backported build.
Review whether protected resources rely on path-only authorization decisions.
Test authorization behavior in a controlled environment without publishing bypass details.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-287: Credential and account abuse lookup
Authentication and credential weaknesses can make valid-account abuse and credential telemetry useful review starting points. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
CWE-863: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.