CVE-2026-1002
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-02-05

Assigner: Eclipse Foundation

Description
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html Mitgation Disabling Static Handler cache fixes the issue. StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1002
EUVD
EUVD-2026-2695
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
eclipse vert.x to 4.5.24 (inc)
eclipse vert.x to 4.3.7 (inc)
eclipse vert.x to 3.9.5 (inc)
eclipse vert.x to 5.0.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-444 The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-1002 is a vulnerability in the Vert.x Web static handler component where the cache can be corrupted by specially crafted request URIs containing encoded segments like "%2F..%2F" (representing "/../"). The issue stems from improper URI path normalization according to RFC 3986, specifically the failure to correctly remove dot-segments in certain cases. This causes the static handler to cache non-existent file paths as missing, leading to denial of access to static files by returning HTTP 404 errors even for valid requests. The problem arises because the method responsible for removing dot-segments does not properly handle paths that do not start with a slash, resulting in incorrect cache entries. [1, 2]

Impact Analysis

This vulnerability can impact you by causing denial of access to static files served by the Vert.x Web static handler. When an attacker sends a specially crafted URI containing encoded dot-segments, it corrupts the static handler's cache, causing valid requests for static files to return HTTP 404 errors. This means legitimate users may be unable to access static resources, potentially disrupting service availability or user experience. [1]

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests containing the encoded segment "%2F..%2F" in the URI path to the Vert.x Web static handler and observing if the server returns HTTP 404 responses incorrectly and if subsequent valid requests to the same resource also return HTTP 404 due to cache corruption. For example, you can use curl commands as follows: 1) curl "http://host/foo/index.html" - should return HTTP 200. 2) curl "http://host/foo/bar%2F..%2Findex.html" - should return HTTP 404 and corrupt the cache. 3) curl "http://host/foo/index.html" again - if it returns HTTP 404, the vulnerability is present due to cache corruption. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, disable the static handler cache in the Vert.x Web static handler component by configuring it as follows: StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false); This prevents cache corruption caused by the vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1002. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart