CVE-2026-42333

Sažetak

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.

Reference

https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586
https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts
https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts
https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0
https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

09-05-2026 - 20:16

Objavljeno

09-05-2026 - 20:16