CVE-2026-40180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in quarkiverse quarkus-openapi-generator
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
AI Analysis
Technical Summary
The quarkus-openapi-generator extension for Quarkus versions before 2.16.0 and 2.15.0-lts contains a path traversal vulnerability (CWE-22) in the unzip() method of ApicurioCodegenWrapper.java. The method constructs destination file paths by concatenating the output directory with ZIP entry names without validating that the resulting path remains within the intended directory. Malicious ZIP archives with entries containing path traversal sequences (e.g., ../../malicious.java) can cause files to be written outside the target directory, potentially overwriting arbitrary files on the host filesystem. This vulnerability is fixed in versions 2.16.0 and 2.15.0-lts.
Potential Impact
Successful exploitation allows an attacker to write files outside the designated output directory by crafting ZIP archives with path traversal sequences. This could lead to overwriting critical files or placing malicious files in arbitrary locations, potentially compromising system integrity or enabling further attacks. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade to quarkus-openapi-generator version 2.16.0 or 2.15.0-lts or later, where this path traversal vulnerability has been fixed. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified.
CVE-2026-40180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in quarkiverse quarkus-openapi-generator
Description
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The quarkus-openapi-generator extension for Quarkus versions before 2.16.0 and 2.15.0-lts contains a path traversal vulnerability (CWE-22) in the unzip() method of ApicurioCodegenWrapper.java. The method constructs destination file paths by concatenating the output directory with ZIP entry names without validating that the resulting path remains within the intended directory. Malicious ZIP archives with entries containing path traversal sequences (e.g., ../../malicious.java) can cause files to be written outside the target directory, potentially overwriting arbitrary files on the host filesystem. This vulnerability is fixed in versions 2.16.0 and 2.15.0-lts.
Potential Impact
Successful exploitation allows an attacker to write files outside the designated output directory by crafting ZIP archives with path traversal sequences. This could lead to overwriting critical files or placing malicious files in arbitrary locations, potentially compromising system integrity or enabling further attacks. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade to quarkus-openapi-generator version 2.16.0 or 2.15.0-lts or later, where this path traversal vulnerability has been fixed. Patch status is confirmed by the vendor's versioning information. No additional mitigations are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T20:59:17.619Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9581c1cc7ad14dae48c6c
Added to database: 4/10/2026, 8:05:48 PM
Last enriched: 4/10/2026, 8:21:07 PM
Last updated: 4/11/2026, 6:03:18 AM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.