PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-40180 quarkiverse CVE debrief

CVE-2026-40180 is a path traversal issue in Quarkus OpenAPI Generator’s ZIP extraction logic. A malicious archive can cause files to be written outside the intended output directory because unzip() constructs the destination directly from the ZIP entry name and writes the content without verifying that the resolved path stays within the target directory. The issue is fixed in 2.16.0 and 2.15.0-lts.

Vendor
quarkiverse
Product
quarkus-openapi-generator
CVSS
HIGH 7.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-10
Original CVE updated
2026-05-21
Advisory published
2026-04-10
Advisory updated
2026-05-21

Who should care

Teams using Quarkus OpenAPI Generator to process ZIP-based inputs, especially developers, build engineers, and CI/CD maintainers who rely on generated client or server stub workflows. If your pipeline accepts archives from less-trusted sources, this flaw can turn ZIP extraction into an unintended file-write primitive outside the expected output tree.

Technical summary

The vulnerability is a CWE-22 path traversal weakness in ApicurioCodegenWrapper.java’s unzip() method. According to the advisory description, the code creates the output file with new File(toOutputDir, entry.getName()) and writes the entry immediately, without validating that the normalized destination remains under the intended output directory. That allows crafted ZIP entry names such as traversal sequences to escape the destination tree. NVD marks the issue as analyzed and links it to patches and the vendor advisory; the GitHub advisory also lists CWE-22.

Defensive priority

High. The flaw can lead to unauthorized file writes outside the intended directory, which is a serious integrity risk in automation and build contexts. Prioritize upgrading to a fixed release and reviewing any workflows that consume ZIP archives before patching.

Recommended defensive actions

  • Upgrade Quarkus OpenAPI Generator to 2.16.0 or 2.15.0-lts, which the advisory identifies as fixed releases.
  • Review any build or generation pipeline that accepts ZIP archives and treat archive contents as untrusted input.
  • Add defensive path validation in any similar extraction code: resolve the candidate path and confirm it stays within the intended output directory before writing.
  • Audit existing output directories for unexpected files if the vulnerable version may have processed attacker-influenced archives.
  • Prefer consuming the vendor advisory and patch commits when validating your remediation plan.

Evidence notes

The supplied NVD record states the issue affects versions prior to 2.16.0 and 2.15.0-lts and maps it to CWE-22. The advisory description says unzip() constructs the destination with new File(toOutputDir, entry.getName()) and writes content immediately, enabling path traversal outside the target directory. The linked GitHub Security Advisory GHSA-jx2w-vp7f-456q is tagged as both Exploit and Vendor Advisory, and the two referenced commits are marked as patches.

Official resources

CVE published 2026-04-10 and last modified 2026-05-21. The supplied source set includes official CVE/NVD records plus GitHub advisory and patch references. No KEV entry is provided in the supplied data.