CVE-2026-40180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in quarkiverse quarkus-openapi-generator
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
AI Analysis
Technical Summary
The quarkus-openapi-generator extension for Quarkus versions before 2.16.0 and 2.15.0-lts contains a path traversal vulnerability (CWE-22) in the unzip() method of ApicurioCodegenWrapper.java. Specifically, ZIP entries are extracted without validating that the resolved file paths stay within the designated output directory. The code constructs the destination file path by combining the output directory and the ZIP entry name without sanitization, enabling an attacker to craft ZIP archives with entries containing path traversal sequences (e.g., ../../malicious.java). This can lead to arbitrary file writes outside the intended directory. The vulnerability is fixed in versions 2.16.0 and 2.15.0-lts.
Potential Impact
Successful exploitation allows an attacker to write files to arbitrary locations on the filesystem where the application has write permissions. This can lead to overwriting critical files, potentially enabling code execution or disruption of application behavior. The CVSS 4.0 score of 7.7 reflects a high severity with network attack vector, no privileges required, no user interaction, and high impact on integrity.
Mitigation Recommendations
Upgrade quarkus-openapi-generator to version 2.16.0 or 2.15.0-lts or later, where the vulnerability is fixed. Patch status is confirmed by the vendor advisory indicating the fix is included in these versions. Until upgraded, avoid processing untrusted ZIP archives with this component.
CVE-2026-40180: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in quarkiverse quarkus-openapi-generator
Description
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The quarkus-openapi-generator extension for Quarkus versions before 2.16.0 and 2.15.0-lts contains a path traversal vulnerability (CWE-22) in the unzip() method of ApicurioCodegenWrapper.java. Specifically, ZIP entries are extracted without validating that the resolved file paths stay within the designated output directory. The code constructs the destination file path by combining the output directory and the ZIP entry name without sanitization, enabling an attacker to craft ZIP archives with entries containing path traversal sequences (e.g., ../../malicious.java). This can lead to arbitrary file writes outside the intended directory. The vulnerability is fixed in versions 2.16.0 and 2.15.0-lts.
Potential Impact
Successful exploitation allows an attacker to write files to arbitrary locations on the filesystem where the application has write permissions. This can lead to overwriting critical files, potentially enabling code execution or disruption of application behavior. The CVSS 4.0 score of 7.7 reflects a high severity with network attack vector, no privileges required, no user interaction, and high impact on integrity.
Mitigation Recommendations
Upgrade quarkus-openapi-generator to version 2.16.0 or 2.15.0-lts or later, where the vulnerability is fixed. Patch status is confirmed by the vendor advisory indicating the fix is included in these versions. Until upgraded, avoid processing untrusted ZIP archives with this component.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T20:59:17.619Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9581c1cc7ad14dae48c6c
Added to database: 4/10/2026, 8:05:48 PM
Last enriched: 4/18/2026, 2:27:51 PM
Last updated: 5/26/2026, 8:47:44 AM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.