Executive Summary

CVE-2026-42333 affects the Quarkus OpenAPI Generator, specifically its generated authentication filter. The filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. This means that a security scheme configured for one operation can mistakenly be applied to a different operation with the same HTTP method but a partially similar path.

The root cause is that path templates with placeholders like {param} are treated as regular expressions that match any character sequence, including slashes. For example, a protected path like /repos/{ref} may incorrectly match a path like /repos/foo/bar, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints.

This vulnerability can expose sensitive authentication credentials to endpoints that should not receive them, potentially leading to unauthorized access or data leakage.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can cause bearer tokens, API keys, or basic authentication credentials to be sent to unintended endpoints that are not meant to receive them.

As a result, sensitive credentials may be exposed to lower-trust or unprotected routes, increasing the risk of unauthorized access, data breaches, or misuse of authentication tokens.

The issue is exploitable through normal client usage without needing to modify the generated code, making it a practical risk in affected versions.

The severity is rated as moderate with a CVSS score of 6.3, primarily impacting confidentiality and integrity.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability causes authentication credentials such as bearer tokens, API keys, or basic credentials to be sent to unintended endpoints due to overly broad path-parameter matching in the generated authentication filter.

To detect this on your network or system, you can monitor outgoing requests from clients using the Quarkus OpenAPI Generator and check if credentials are being sent to endpoints that should not require them.

For example, you can use network traffic capture tools like tcpdump or Wireshark to filter HTTP requests containing authorization headers sent to unexpected paths.

• Use tcpdump to capture HTTP requests with authorization headers: tcpdump -i <interface> -A 'tcp port 80 or tcp port 443' | grep -i 'Authorization'
• Use curl or similar tools to test specific endpoints and observe if credentials are attached to unintended paths.
• Review application logs or enable debug logging in the Quarkus OpenAPI Generator client to trace which endpoints are receiving authentication credentials.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade the Quarkus OpenAPI Generator to a patched version where this vulnerability is fixed.

• Upgrade to version 2.11.1-lts, 2.16.0-lts, or 2.17.0 or later, as these versions include the security patch addressing the overly broad path matching issue.

Until the upgrade can be applied, consider reviewing and restricting the use of authentication credentials in client configurations to minimize exposure.

Additionally, monitor network traffic for unexpected credential transmissions and audit access logs to detect potential misuse.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability causes authentication credentials such as bearer tokens, API keys, or basic credentials to be sent to unintended endpoints due to overly broad path matching in the generated authentication filter.

This unintended exposure of sensitive credentials can lead to unauthorized access to protected resources, potentially compromising confidentiality and integrity.

Such exposure of sensitive authentication data may negatively impact compliance with standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive information.

Useful 0 Not Useful 0