6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-1002

CVE-2026-1002: Eclipse Vert.x Web static handler file access denial

The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI.

The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Core component (used by Vert.x Web): https://github.com/eclipse-vertx/vert.x/pull/5895

Steps to reproduce Given a file served by the static handler, craft an URI that introduces a string like bar%2F..%2F after the last / char to deny the access to the URI with an HTTP 404 response. For example https://example.com/foo/index.html can be denied with https://example.com/foo/bar%2F..%2Findex.html

Mitgation Disabling Static Handler cache fixes the issue.

StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-1002

CVE-2026-1002:

6.9

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.vertx:vertx-core	maven	< 4.5.24	4.5.24

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch commit d007e7b418543eb1567fe95cf20f5450a5c2d047 clearly points to a flaw in the removeDots function within the io.vertx.core.http.impl.HttpUtils class. The vulnerability description explains that specially crafted request URIs can manipulate the Vert.x Web static handler cache, leading to a denial of service. The commit message explicitly states that HttpUtils#removeDots does not properly handle a rule from RFC3986 for path segment normalization. The code change itself confirms this: the logic for handling "/.." sequences was corrected to properly truncate the output buffer even when no "/" is present. This prevents the incorrect path normalization that leads to the cache poisoning vulnerability. Therefore, the io.vertx.core.http.impl.HttpUtils.removeDots function is the direct source of the vulnerability.

Vulnerable functions

io.vertx.core.http.impl.HttpUtils.removeDots

src/main/java/io/vertx/core/http/impl/HttpUtils.java

The vulnerability lies in the `removeDots` function, which is responsible for normalizing path segments. The original implementation did not correctly handle path sequences like `/../` when there was no preceding path segment in the buffer to remove. Specifically, if the output buffer `obuf` did not contain a `/` (i.e., `pos == -1`), the code did nothing, leading to an incorrect path normalization. An attacker could craft a URI such as `https://example.com/foo/bar%2F..%2Findex.html` which, after decoding, becomes `https://example.com/foo/bar/../index.html`. The flawed `removeDots` logic would process this path incorrectly, causing the static handler to cache a 404 (Not Found) response for a valid resource, thus denying access to it.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-1002: Eclipse Vert.x Web static handler file access denial

CVE-2026-1002:

6.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

6.9

6.9

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2026-1002: Eclipse Vert.x Web static handler file access denial

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI