Quarkus is a Java framework for building cloud-native applications. Prior to versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2, Quarkus HTTP path-based authorization policies can be bypassed using encoded semicolons (%3B) to smuggle matrix parameters past the security layer, and using encoded slashes (%2F) or backslashes (%5C) to access protected static resources. This is a distinct issue from CVE-2026-39852, which addressed only literal semicolon stripping. Versions 3.37.0, 3.36.3, 3.33.2.1, 3.33.3, 3.27.4.1, 3.27.5, and 3.20.6.2 contain a patch.
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-50559.json
https://github.com/quarkusio/quarkus/security/advisories/GHSA-qcxp-gm7m-4j5v
https://bugzilla.redhat.com/show_bug.cgi?id=2486959
https://access.redhat.com/security/cve/CVE-2026-50559
https://access.redhat.com/errata/RHSA-2026:36820
https://access.redhat.com/errata/RHSA-2026:34608
https://access.redhat.com/errata/RHSA-2026:26586
https://access.redhat.com/errata/RHSA-2026:26194