QwikSec

Security Database

CVE

CWE

Training

CVE-2026-42333

Published: May 9, 2026

Modified: May 11, 2026

PUBLISHED

Description

Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to versions 2.11.1-lts, 2.16.0-lts, and 2.17.0, the generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints. This issue has been patched in versions 2.11.1-lts, 2.16.0-lts, and 2.17.0.

Vendor	Product	Versions
quarkiverse	quarkus-openapi-generator	affected `< 2.11.1-lts` affected `< 2.16.0-lts` affected `< 2.17.0`

Weaknesses (CWE)

References

https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v

x_refsource_CONFIRM

https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586

x_refsource_MISC

https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts

x_refsource_MISC

https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts

x_refsource_MISC

https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.