RHSA-2026:11721

Details:

This release of Red Hat build of Quarkus 3.27.3.SP1 includes the following CVE fixes:

• quarkus-vertx-http: io.quarkus:quarkus-vertx-http: Authorization bypass via semicolons in HTTP requests [quarkus-3.27] (CVE-2026-39852)
• bcprov-jdk18on: LDAP injection vulnerability in LDAPStoreHelper.java [quarkus-3.27] (CVE-2026-0636)
• bcpkix-jdk18on: PKIX draft CompositeVerifier accepts empty signature sequence as valid [quarkus-3.27] (CVE-2026-5588)
• bcprov-jdk18on: GOSTCTR implementation unable to process more than 255 blocks correctly [quarkus-3.27] (CVE-2025-14813)
• kafka-clients: Apache Kafka Clients: Information disclosure and data corruption due to race condition in producer buffer management [quarkus-3.27] (CVE-2026-35554)

For more information, see the release notes page listed in the References section.