CVE-2026-42333

UNKNOWN 0.0

quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations

CVSS Score

0.0

EPSS Score

0.1%

EPSS Percentile

24th

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.

CWE	CWE-200
Vendor	quarkiverse
Product	quarkus-openapi-generator
Published	May 9, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for quarkiverse quarkus-openapi-generator

Be the first to know when new unknown vulnerabilities affecting quarkiverse quarkus-openapi-generator are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

quarkiverse / quarkus-openapi-generator

< 2.11.1-lts < 2.16.0-lts < 2.17.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v github.com: https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586 github.com: https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts github.com: https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts github.com: https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0