CVE-2026-1002

Description

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895 Steps to reproduceGiven a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.htmlMitgationDisabling Static Handler cache fixes the issue.StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

Risk Information

Base Score

5.3

MODERATE

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS Score

Exploitation Probability

0.021

Associated Vulnerability

Vulnerability	OS Platform
Vulnerabilities CVE-2026-1002 are fixed in Eclipse-vertx-core 4.5.24	Windows
Vulnerabilities CVE-2026-1002 are fixed in Eclipse-vertx-core 5.0.7	Windows
Vulnerabilities CVE-2026-1002 are fixed in Eclipse-vertx-core for Linux 4.5.24	Linux
Vulnerabilities CVE-2026-1002 are fixed in Eclipse-vertx-core for Linux 5.0.7	Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234