Description
Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
Published: 2026-04-10
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal leading to arbitrary file write
Action: Immediate Patch
AI Analysis

Impact

The unzip() method in ApicurioCodegenWrapper extracts ZIP entries without validating that the resolved file path remains within the intended output directory. A malicious ZIP archive containing path traversal sequences such as ../../malicious.java can result in files being written outside the target directory. This allows an attacker to overwrite critical files or introduce malicious code in trusted locations, potentially compromising the integrity of the application.

Affected Systems

This vulnerability affects the quarkus-openapi-generator extension provided by Quarkus, specifically versions prior to 2.16.0 and the 2.15.0‑lts release. The issue resides in the ApicurioCodegenWrapper component within that extension.

Risk and Exploitability

The CVSS score of 7.7 assigns high severity. EPSS information is not available, and the vulnerability has not been listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker would need to supply a crafted ZIP archive to the vulnerable code; the likely attack vector therefore depends on how the unzip functionality is exposed—such as through file uploads, API endpoints, or build scripts. Explicit exploitation details are not disclosed in the advisory, so the exact conditions for a successful attack remain unspecified.

Generated by OpenCVE AI on April 10, 2026 at 21:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading quarkus-openapi-generator to version 2.16.0 or 2.15.0‑lts or later.
  • If an upgrade cannot be performed immediately, ensure that no untrusted ZIP archives are processed by the openapi generator in production.
  • Add validation to reject ZIP entries containing path traversal characters before extraction if upgrading is not feasible.
  • Monitor system logs for unexpected file writes or creation of files outside intended directories.

Generated by OpenCVE AI on April 10, 2026 at 21:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jx2w-vp7f-456q quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class
History

Thu, 21 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Quarkiverse quarkus Openapi Generator
CPEs cpe:2.3:a:quarkiverse:quarkus_openapi_generator:*:*:*:*:*:*:*:*
cpe:2.3:a:quarkiverse:quarkus_openapi_generator:2.15.0:*:*:*:-:*:*:*
Vendors & Products Quarkiverse quarkus Openapi Generator
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Mon, 13 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Quarkiverse
Quarkiverse quarkus-openapi-generator
Vendors & Products Quarkiverse
Quarkiverse quarkus-openapi-generator

Fri, 10 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Quarkus OpenAPI Generator is Quarkus' extensions for generation of Rest Clients and server stubs generation. Prior to 2.16.0 and 2.15.0-lts, the unzip() method in ApicurioCodegenWrapper.java extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as new File(toOutputDir, entry.getName()) and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java) would write files outside the target directory. This vulnerability is fixed in 2.16.0 and 2.15.0-lts.
Title Zip Slip Path Traversal in quarkus-openapi-generator ApicurioCodegenWrapper class
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Quarkiverse Quarkus-openapi-generator Quarkus Openapi Generator
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T20:53:46.782Z

Reserved: 2026-04-09T20:59:17.619Z

Link: CVE-2026-40180

cve-icon Vulnrichment

Updated: 2026-04-13T20:53:35.266Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T20:16:23.260

Modified: 2026-05-21T19:09:58.943

Link: CVE-2026-40180

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T12:57:31Z

Weaknesses