CVE-2026-42333 affects Quarkus OpenAPI Generator and can cause generated authentication filters to send credentials to unintended endpoints. The issue is an authorization-matching flaw rather than a remote code execution problem, but it can still expose bearer tokens, API keys, or basic credentials to the wrong same-method path.
CVE-2026-40180 is a path traversal issue in Quarkus OpenAPI Generator’s ZIP extraction logic. A malicious archive can cause files to be written outside the intended output directory because unzip() constructs the destination directly from the ZIP entry name and writes the content without verifying that the resolved path stays within the target directory. The issue is fixed in 2.16.0 and 2.15.0-lts.