Quarkus OpenAPI Generator Authentication Filter Vulnerability Allowing Credential Misrouting

A vulnerability exists in Quarkus OpenAPI Generator versions prior to 2.11.1-lts, 2.16.0-lts, and 2.17.0. The issue arises because the generated authentication filter overly broadens the matching of OpenAPI path templates when determining whether to attach credentials. This flaw can lead to security schemes intended for one operation being incorrectly applied to another operation with a similar path, but not identical, causing sensitive credentials like bearer tokens, API keys, or basic authentication to be sent to the wrong endpoints. The vulnerability can be exploited through normal use of the generated client, without any need to alter the generated code.

Impact

This vulnerability can cause authentication credentials to be sent to unintended endpoints, potentially exposing sensitive information such as bearer tokens or API keys to lower-trust routes. It can also lead to public operations being accessed with privileged credentials, disrupting the intended security balance between protected and unprotected operations.

Reproduction

To reproduce this vulnerability, create a Maven project and include the Quarkus OpenAPI Generator dependency. Generate a client from an OpenAPI specification that includes a security scheme applied to a specific path operation. Then, invoke a different operation that partially matches the path template but is not intended to be protected. The authentication filter will incorrectly attach the credentials, demonstrating the vulnerability.

Remediation

Users can upgrade to Quarkus OpenAPI Generator versions 2.11.1-lts, 2.16.0-lts, or 2.17.0 to address this vulnerability.