CVE-2026-40180: Quarkus OpenAPI Path Traversal Flaw

CVE-2026-40180 Overview

CVE-2026-40180 is a Path Traversal vulnerability in the Quarkus OpenAPI Generator, a Quarkus extension used for generating REST Clients and server stubs. The vulnerability exists in the unzip() method within ApicurioCodegenWrapper.java, which extracts ZIP entries without validating that the resolved file path remains within the intended output directory. This flaw allows attackers to write arbitrary files outside the target directory by crafting malicious ZIP archives containing path traversal sequences.

Critical Impact
Attackers can leverage malicious ZIP archives with path traversal sequences (e.g., ../../malicious.java) to write arbitrary files outside the intended directory, potentially leading to code execution, configuration tampering, or system compromise.

Affected Products

Quarkus OpenAPI Generator versions prior to 2.16.0
Quarkus OpenAPI Generator LTS versions prior to 2.15.0-lts

Discovery Timeline

April 10, 2026 - CVE-2026-40180 published to NVD
April 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-40180

Vulnerability Analysis

The vulnerability stems from inadequate input validation during ZIP file extraction operations. At line 101 of ApicurioCodegenWrapper.java, the destination path is constructed using new File(toOutputDir, entry.getName()) and file content is written immediately without any path canonicalization or boundary checks. This classic Zip Slip vulnerability pattern allows malicious archives to escape the extraction directory through directory traversal sequences embedded in entry names.

The attack exploits the trust placed in ZIP entry names. When a ZIP file contains an entry named with relative path components like ../../etc/malicious.java, the naive file path construction concatenates this with the output directory, resulting in a path that resolves outside the intended extraction location. The immediate write operation following path construction means there is no opportunity for validation before potentially dangerous file operations occur.

Root Cause

The root cause is a missing path validation check in the unzip() method of ApicurioCodegenWrapper.java. The code directly uses entry.getName() from ZIP entries to construct file paths without:

Canonicalizing the resulting path to resolve traversal sequences
Verifying that the canonical path starts with the intended output directory
Rejecting entries containing suspicious path components like ..

This represents a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability where user-controlled input influences file system operations without proper sanitization.

Attack Vector

The attack vector is network-based, requiring an attacker to supply a malicious ZIP archive that will be processed by the vulnerable unzip() method. Exploitation scenarios include:

Supply Chain Attack: An attacker compromises or creates a malicious OpenAPI specification source that provides ZIP archives containing path traversal payloads
Man-in-the-Middle: Intercepting and modifying legitimate ZIP archives in transit to inject malicious entries
Malicious Repository: Hosting crafted archives on repositories that developers might reference during code generation

A successful attack could overwrite critical application files, inject malicious source code that gets compiled into the application, or modify configuration files to alter application behavior.

Detection Methods for CVE-2026-40180

Indicators of Compromise

Unexpected files appearing outside expected extraction directories
Modified Java source files in project directories that were not manually changed
Build artifacts containing unexpected or suspicious code
File system audit logs showing writes to paths containing ../ sequences originating from the Quarkus OpenAPI Generator process

Detection Strategies

Monitor file system operations during build processes for writes outside designated output directories
Implement static analysis on generated code to detect unexpected file modifications
Review build logs for any errors or warnings related to path handling during code generation
Audit dependency versions to identify use of vulnerable Quarkus OpenAPI Generator versions

Monitoring Recommendations

Enable file integrity monitoring on critical project directories and build outputs
Configure build environment security controls to restrict file write permissions to designated directories
Implement network monitoring to detect suspicious ZIP file downloads during build processes
Regularly audit project dependencies using software composition analysis tools

How to Mitigate CVE-2026-40180

Immediate Actions Required

Upgrade Quarkus OpenAPI Generator to version 2.16.0 or later immediately
For LTS track users, upgrade to version 2.15.0-lts or later
Audit existing generated code for any signs of tampering or unexpected modifications
Review build environment file system for unauthorized files that may have been written outside expected directories

Patch Information

The vulnerability has been fixed in Quarkus OpenAPI Generator versions 2.16.0 and 2.15.0-lts. The security patches implement proper path validation to ensure extracted files cannot escape the intended output directory. For detailed information about the fixes, refer to the GitHub Security Advisory.

Patch commits are available at:

Workarounds

If immediate upgrade is not possible, restrict network access during build processes to only trusted sources
Implement build-time validation that scans ZIP archives for path traversal sequences before processing
Use containerized build environments with restricted file system access to limit the impact of potential exploitation
Manually inspect ZIP archives from untrusted sources before allowing them to be processed by the generator

bash

# Update Quarkus OpenAPI Generator in Maven pom.xml
# Change version from vulnerable version to patched version:
# For standard track: update to 2.16.0 or later
# For LTS track: update to 2.15.0-lts or later
mvn versions:use-dep-version -Dincludes=io.quarkiverse.openapi.generator:* -DdepVersion=2.16.0

CVE-2026-40180 Overview

Critical Impact
Attackers can leverage malicious ZIP archives with path traversal sequences (e.g., ../../malicious.java) to write arbitrary files outside the intended directory, potentially leading to code execution, configuration tampering, or system compromise.

Affected Products

Quarkus OpenAPI Generator versions prior to 2.16.0
Quarkus OpenAPI Generator LTS versions prior to 2.15.0-lts

Discovery Timeline

April 10, 2026 - CVE-2026-40180 published to NVD
April 13, 2026 - Last updated in NVD database

Technical Details for CVE-2026-40180

Vulnerability Analysis

Root Cause

The root cause is a missing path validation check in the unzip() method of ApicurioCodegenWrapper.java. The code directly uses entry.getName() from ZIP entries to construct file paths without:

Canonicalizing the resulting path to resolve traversal sequences
Verifying that the canonical path starts with the intended output directory
Rejecting entries containing suspicious path components like ..

This represents a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability where user-controlled input influences file system operations without proper sanitization.

Attack Vector

The attack vector is network-based, requiring an attacker to supply a malicious ZIP archive that will be processed by the vulnerable unzip() method. Exploitation scenarios include:

Supply Chain Attack: An attacker compromises or creates a malicious OpenAPI specification source that provides ZIP archives containing path traversal payloads
Man-in-the-Middle: Intercepting and modifying legitimate ZIP archives in transit to inject malicious entries
Malicious Repository: Hosting crafted archives on repositories that developers might reference during code generation

A successful attack could overwrite critical application files, inject malicious source code that gets compiled into the application, or modify configuration files to alter application behavior.

Detection Methods for CVE-2026-40180

Indicators of Compromise

Unexpected files appearing outside expected extraction directories
Modified Java source files in project directories that were not manually changed
Build artifacts containing unexpected or suspicious code
File system audit logs showing writes to paths containing ../ sequences originating from the Quarkus OpenAPI Generator process

Detection Strategies

Monitor file system operations during build processes for writes outside designated output directories
Implement static analysis on generated code to detect unexpected file modifications
Review build logs for any errors or warnings related to path handling during code generation
Audit dependency versions to identify use of vulnerable Quarkus OpenAPI Generator versions

Monitoring Recommendations

Enable file integrity monitoring on critical project directories and build outputs
Configure build environment security controls to restrict file write permissions to designated directories
Implement network monitoring to detect suspicious ZIP file downloads during build processes
Regularly audit project dependencies using software composition analysis tools

How to Mitigate CVE-2026-40180

Immediate Actions Required

Upgrade Quarkus OpenAPI Generator to version 2.16.0 or later immediately
For LTS track users, upgrade to version 2.15.0-lts or later
Audit existing generated code for any signs of tampering or unexpected modifications
Review build environment file system for unauthorized files that may have been written outside expected directories

Patch Information

Patch commits are available at:

Workarounds

If immediate upgrade is not possible, restrict network access during build processes to only trusted sources
Implement build-time validation that scans ZIP archives for path traversal sequences before processing
Use containerized build environments with restricted file system access to limit the impact of potential exploitation
Manually inspect ZIP archives from untrusted sources before allowing them to be processed by the generator

bash

# Update Quarkus OpenAPI Generator in Maven pom.xml
# Change version from vulnerable version to patched version:
# For standard track: update to 2.16.0 or later
# For LTS track: update to 2.15.0-lts or later
mvn versions:use-dep-version -Dincludes=io.quarkiverse.openapi.generator:* -DdepVersion=2.16.0

CVE-2026-40180: Quarkus OpenAPI Path Traversal Flaw

CVE-2026-40180 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40180

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40180

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40180

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-40180: Quarkus OpenAPI Path Traversal Flaw

CVE-2026-40180 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-40180

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-40180

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-40180

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform