Platform
java
Component
quarkus-openapi-generator
Fixed in
2.15.1
2.16.1
CVE-2026-40180 is a Path Traversal vulnerability affecting Quarkus OpenAPI Generator versions up to 2.16.0. This flaw allows attackers to leverage specially crafted ZIP archives to write files outside the designated output directory, potentially leading to code injection or other malicious activities. The vulnerability stems from insufficient path validation during ZIP entry extraction. A fix is available in version 2.16.0.
An attacker could exploit this vulnerability by crafting a malicious ZIP archive containing entries with path traversal sequences (e.g., ../../malicious.java). When the Quarkus OpenAPI Generator processes this archive, it would write the malicious file outside the intended output directory. This could allow an attacker to overwrite critical system files, inject malicious code into the application, or gain unauthorized access to sensitive data. The potential impact is significant, as it could lead to complete system compromise, particularly in environments where the generator is used to automate code generation and deployment.
This vulnerability was publicly disclosed on 2026-04-10. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The probability of exploitation is currently considered low, but the potential impact warrants prompt mitigation.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
The primary mitigation for CVE-2026-40180 is to upgrade to Quarkus OpenAPI Generator version 2.16.0 or later, which includes the necessary path validation fixes. If upgrading is not immediately feasible, consider implementing input validation on the ZIP archive being processed. This could involve scanning the archive for suspicious filenames or path traversal sequences before extraction. Additionally, restrict the permissions of the user running the Quarkus OpenAPI Generator to minimize the potential damage from a successful exploit. After upgrading, confirm the fix by attempting to process a test ZIP archive containing path traversal sequences and verifying that the files are not written outside the intended output directory.
Update to version 2.16.0 or 2.15.0-lts of quarkus-openapi-generator to mitigate the path traversal vulnerability. This update corrects the route validation when extracting ZIP files, preventing the writing of files outside the target directory.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40180 is a Path Traversal vulnerability in Quarkus OpenAPI Generator versions up to 2.16.0, allowing attackers to write files outside the intended output directory using malicious ZIP archives.
You are affected if you are using Quarkus OpenAPI Generator versions 2.16.0 or earlier. Upgrade to 2.16.0 to resolve the vulnerability.
Upgrade to version 2.16.0 or later. Consider input validation on ZIP archives as a temporary workaround if upgrading is not immediately possible.
There are currently no known public exploits or active campaigns targeting CVE-2026-40180, but prompt mitigation is still recommended.
Refer to the Quarkus project's security advisories for the latest information and updates regarding CVE-2026-40180.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.