Vulnerability Description
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Quarkiverse | Quarkus Openapi Generator | < 2.15.0 |
Related Weaknesses (CWE)
References
- https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed1Patch
- https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719aPatch
- https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSExploitVendor Advisory
- https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSExploitVendor Advisory
FAQ
What is CVE-2026-40180?
CVE-2026-40180 is a vulnerability with a CVSS score of 7.5 (HIGH). Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ...
How severe is CVE-2026-40180?
CVE-2026-40180 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40180?
Check the references section above for vendor advisories and patch information. Affected products include: Quarkiverse Quarkus Openapi Generator.