CVE-2026-40180
Analyzed Analyzed - Analysis Complete
Path Traversal in Quarkus OpenAPI Generator ZIP Extraction

Publication date: 2026-04-10

Last updated on: 2026-05-21

Assigner: GitHub, Inc.

Description
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-05-21
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40180
EUVD
EUVD-2026-21583
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
quarkiverse quarkus_openapi_generator to 2.15.0 (exc)
quarkiverse quarkus_openapi_generator 2.15.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40180 is a Zip Slip path traversal vulnerability in the quarkus-openapi-generator component, specifically in the ApicurioCodegenWrapper class. The unzip() method extracts ZIP archive entries without validating that the resolved file paths remain within the intended output directory. This means a malicious ZIP file containing entries with path traversal sequences (like "../../malicious.java") can cause files to be written outside the target directory.

The vulnerability arises because the code constructs the destination file path by simply appending the ZIP entry name to the output directory without normalizing or checking for path traversal. This allows attackers to overwrite arbitrary files on the filesystem during extraction.

The issue is fixed in versions 2.16.0 and 2.15.0-lts by modifying the unzip method to resolve and normalize each ZIP entry's path and verify that it starts with the intended output directory path. If the check fails, the extraction is aborted for that entry, preventing path traversal.

Impact Analysis

An attacker who can supply or intercept the ZIP archive used by the quarkus-openapi-generator can exploit this vulnerability to write arbitrary files outside the intended output directory on the build machine.

  • Overwrite source files or build outputs with malicious code.
  • Modify configuration files or other critical files on the filesystem.
  • Potentially execute arbitrary code if the overwritten files are executed or compiled.

In CI/CD environments, this could lead to supply chain compromise by injecting malicious code during the build or code generation process.

Detection Guidance

This vulnerability can be detected by checking if ZIP archives processed by the quarkus-openapi-generator component contain entries with path traversal sequences such as "../../" that could cause files to be written outside the intended output directory.

One way to detect exploitation attempts is to monitor or inspect ZIP files used in the code generation process for suspicious entries.

Since the vulnerability arises during ZIP extraction, you can use commands to list ZIP contents and look for path traversal patterns.

  • Use the command `unzip -l suspicious.zip` to list the contents of a ZIP file and check for entries with "../" sequences.
  • Use `zipinfo suspicious.zip` to get detailed information about ZIP entries and identify any with path traversal.
  • In logs or build outputs, look for IOException messages containing "Invalid ZIP entry:" which indicate detection of path traversal during extraction.

Additionally, reviewing the source code or test logs for the presence of the validation logic that rejects unsafe ZIP entries can confirm if the fix is applied.

Mitigation Strategies

The primary mitigation step is to upgrade the quarkus-openapi-generator component to version 2.16.0 or 2.15.0-lts, where the vulnerability is fixed.

The fix involves validating ZIP entry paths during extraction by resolving and normalizing each entry's path and ensuring it does not escape the intended output directory.

If upgrading immediately is not possible, avoid processing ZIP files from untrusted or unauthenticated sources to reduce risk.

Ensure that the environment where code generation occurs is secured, with proper network protections and TLS configurations to prevent man-in-the-middle attacks serving malicious ZIP files.

Review build and deployment pipelines to detect and block ZIP files containing path traversal entries before they are processed.

Compliance Impact

This vulnerability allows an attacker to perform a Zip Slip path traversal attack, enabling arbitrary file overwrite on the build machine during code generation. Such unauthorized file writes could lead to injection of malicious code or modification of configuration files.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the ability to overwrite arbitrary files and potentially compromise build environments or supply chains could indirectly impact compliance by violating data integrity, security, and operational controls required by these regulations.

Organizations relying on this component in their build or deployment pipelines should consider the risk of supply chain compromise and unauthorized code execution as factors that could affect their compliance posture, especially regarding secure software development practices and protection of sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40180. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart