CVE-2026-40180
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class
Description
### Summary A path traversal vulnerability was discovered in the quarkus-openapi-generator extension ### Details The `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as `new File(toOutputDir, entry.getName())` and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., `../../malicious.java`) would write files outside the target directory. The interesting thing is that the client module in the same repository already has the correct fix. `OpenApiGeneratorStreamCodeGen.java` at line 137 performs proper `normalize()` and `startsWith()` validation. The server module was simply missed. ### PoC This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time. 1. Create a ZIP file containing an entry named `../../proof.txt` with arbitrary content 2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path 3. Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint 4. Trigger code generation 5. Observe that `proof.txt` is written two directories above the intended output ### Impact An attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.
How to fix CVE-2026-40180
To remediate CVE-2026-40180, upgrade the affected package to a fixed version below.
- —upgrade to 2.16.0 or later
Is CVE-2026-40180 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.