CVE-2026-40180
Path Traversal in Quarkus OpenAPI Generator ZIP Extraction
Publication date: 2026-04-10
Last updated on: 2026-04-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| quarkus | openapi_generator | to 2.16.0 (exc) |
| quarkus | openapi_generator | to 2.16.0 (inc) |
| quarkus | quarkus_openapi_generator | to 2.15.0 (inc) |
| quarkus | quarkus_openapi_generator | to 2.16.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40180 is a Zip Slip path traversal vulnerability in the quarkus-openapi-generator component, specifically in the ApicurioCodegenWrapper class. The unzip() method extracts ZIP archive entries without validating that the resolved file paths remain within the intended output directory. This means a malicious ZIP file containing entries with path traversal sequences (like "../../malicious.java") can cause files to be written outside the target directory.
The vulnerability arises because the code constructs the destination file path by simply appending the ZIP entry name to the output directory without normalizing or checking for path traversal. This allows attackers to overwrite arbitrary files on the filesystem during extraction.
The issue is fixed in versions 2.16.0 and 2.15.0-lts by modifying the unzip method to resolve and normalize each ZIP entry's path and verify that it starts with the intended output directory path. If the check fails, the extraction is aborted for that entry, preventing path traversal.
How can this vulnerability impact me? :
An attacker who can supply or intercept the ZIP archive used by the quarkus-openapi-generator can exploit this vulnerability to write arbitrary files outside the intended output directory on the build machine.
- Overwrite source files or build outputs with malicious code.
- Modify configuration files or other critical files on the filesystem.
- Potentially execute arbitrary code if the overwritten files are executed or compiled.
In CI/CD environments, this could lead to supply chain compromise by injecting malicious code during the build or code generation process.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if ZIP archives processed by the quarkus-openapi-generator component contain entries with path traversal sequences such as "../../" that could cause files to be written outside the intended output directory.
One way to detect exploitation attempts is to monitor or inspect ZIP files used in the code generation process for suspicious entries.
Since the vulnerability arises during ZIP extraction, you can use commands to list ZIP contents and look for path traversal patterns.
- Use the command `unzip -l suspicious.zip` to list the contents of a ZIP file and check for entries with "../" sequences.
- Use `zipinfo suspicious.zip` to get detailed information about ZIP entries and identify any with path traversal.
- In logs or build outputs, look for IOException messages containing "Invalid ZIP entry:" which indicate detection of path traversal during extraction.
Additionally, reviewing the source code or test logs for the presence of the validation logic that rejects unsafe ZIP entries can confirm if the fix is applied.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the quarkus-openapi-generator component to version 2.16.0 or 2.15.0-lts, where the vulnerability is fixed.
The fix involves validating ZIP entry paths during extraction by resolving and normalizing each entry's path and ensuring it does not escape the intended output directory.
If upgrading immediately is not possible, avoid processing ZIP files from untrusted or unauthenticated sources to reduce risk.
Ensure that the environment where code generation occurs is secured, with proper network protections and TLS configurations to prevent man-in-the-middle attacks serving malicious ZIP files.
Review build and deployment pipelines to detect and block ZIP files containing path traversal entries before they are processed.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to perform a Zip Slip path traversal attack, enabling arbitrary file overwrite on the build machine during code generation. Such unauthorized file writes could lead to injection of malicious code or modification of configuration files.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to overwrite arbitrary files and potentially compromise build environments or supply chains could indirectly impact compliance by violating data integrity, security, and operational controls required by these regulations.
Organizations relying on this component in their build or deployment pipelines should consider the risk of supply chain compromise and unauthorized code execution as factors that could affect their compliance posture, especially regarding secure software development practices and protection of sensitive data.