Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.2.13
Typemaven
Namespaceio.quarkiverse.openapi.generator
Namequarkus-openapi-generator
Version2.2.13
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.16.0-lts
Latest_non_vulnerable_version2.17.0
Affected_by_vulnerabilities
0
url VCID-dtfz-cu9w-h7e3
vulnerability_id VCID-dtfz-cu9w-h7e3
summary 
quarkus-openapi-generator has overly broad path-parameter matching that sends authentication headers to unintended operations
### Summary

The generated authentication filter matches OpenAPI path templates too broadly when deciding whether to attach credentials. A security scheme configured for one operation can therefore be applied to a different same-method operation whose path only partially resembles the protected template, causing bearer tokens, API keys, or basic credentials to be sent to unintended endpoints.

### Details

The runtime authentication layer selects credentials by comparing the outgoing request path and method against the set of protected OpenAPI operations. Path-template matching treats `{param}` placeholders as `.*`, which incorrectly allows a single path parameter to consume `/`.

As a result, a protected path such as `/repos/{ref}` also matches `/repos/foo/bar`, even though `/repos/{owner}/{repo}` is a different operation. When a client invokes the unprotected operation, the authentication filter still concludes that the protected operation matched and attaches its credentials.

This affects authentication providers that rely on the shared path-matching logic, including bearer, OAuth, API-key, and basic authentication. The issue is reachable through normal generated-client usage and does not require modifying generated code.

### PoC

```bash
mkdir -p /tmp/qoag-poc/src/main/java/org/acme
mkdir -p /tmp/qoag-poc/src/main/resources
mkdir -p /tmp/qoag-poc/src/main/openapi

cat > /tmp/qoag-poc/pom.xml <<'EOF'
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <groupId>org.acme</groupId>
  <artifactId>qoag-poc</artifactId>
  <version>1.0.0</version>

  <properties>
    <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
    <maven.compiler.release>17</maven.compiler.release>
    <quarkus.platform.group-id>io.quarkus</quarkus.platform.group-id>
    <quarkus.platform.artifact-id>quarkus-bom</quarkus.platform.artifact-id>
    <quarkus.platform.version>3.34.3</quarkus.platform.version>
    <qoag.version>2.16.0</qoag.version>
  </properties>

  <dependencyManagement>
    <dependencies>
      <dependency>
        <groupId>${quarkus.platform.group-id}</groupId>
        <artifactId>${quarkus.platform.artifact-id}</artifactId>
        <version>${quarkus.platform.version}</version>
        <type>pom</type>
        <scope>import</scope>
      </dependency>
    </dependencies>
  </dependencyManagement>

  <dependencies>
    <dependency>
      <groupId>io.quarkiverse.openapi.generator</groupId>
      <artifactId>quarkus-openapi-generator</artifactId>
      <version>${qoag.version}</version>
    </dependency>
    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-rest</artifactId>
    </dependency>
    <dependency>
      <groupId>io.quarkus</groupId>
      <artifactId>quarkus-rest-client-jackson</artifactId>
    </dependency>
  </dependencies>

  <build>
    <plugins>
      <plugin>
        <groupId>io.quarkus</groupId>
        <artifactId>quarkus-maven-plugin</artifactId>
        <version>${quarkus.platform.version}</version>
        <extensions>true</extensions>
        <executions>
          <execution>
            <goals>
              <goal>build</goal>
              <goal>generate-code</goal>
              <goal>generate-code-tests</goal>
            </goals>
          </execution>
        </executions>
      </plugin>
      <plugin>
        <artifactId>maven-compiler-plugin</artifactId>
        <version>3.14.0</version>
        <configuration>
          <parameters>true</parameters>
        </configuration>
      </plugin>
    </plugins>
  </build>
</project>
EOF

cat > /tmp/qoag-poc/src/main/openapi/repro.yaml <<'EOF'
openapi: 3.0.3
info:
  title: repro
  version: 1.0.0

paths:
  /repos/{ref}:
    get:
      operationId: getRef
      parameters:
        - in: path
          name: ref
          required: true
          schema:
            type: string
      security:
        - bearerAuth: []
      responses:
        "200":
          description: ok
          content:
            text/plain:
              schema:
                type: string

  /repos/{owner}/{repo}:
    get:
      operationId: getOwnerRepo
      parameters:
        - in: path
          name: owner
          required: true
          schema:
            type: string
        - in: path
          name: repo
          required: true
          schema:
            type: string
      responses:
        "200":
          description: ok
          content:
            text/plain:
              schema:
                type: string

components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
EOF

cat > /tmp/qoag-poc/src/main/resources/application.properties <<'EOF'
quarkus.http.port=8081
quarkus.openapi-generator.codegen.default-security-scheme=bearerAuth
quarkus.openapi-generator.codegen.spec.repro_yaml.base-package=org.acme.repro
quarkus.rest-client.repro_yaml.url=http://127.0.0.1:18080
quarkus.openapi-generator.repro_yaml.auth.bearerAuth.bearer-token=SECRET
EOF

cat > /tmp/qoag-poc/src/main/java/org/acme/TriggerResource.java <<'EOF'
package org.acme;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MediaType;
import org.eclipse.microprofile.rest.client.inject.RestClient;

@Path("/trigger")
public class TriggerResource {
    @RestClient
    org.acme.repro.api.DefaultApi api;

    @GET
    @Produces(MediaType.TEXT_PLAIN)
    public String trigger() {
        api.getOwnerRepo("foo", "bar");
        return "done";
    }
}
EOF

python - <<'PY' &
from http.server import BaseHTTPRequestHandler, HTTPServer
class H(BaseHTTPRequestHandler):
    def do_GET(self):
        print("PATH=" + self.path, flush=True)
        print("AUTH=" + str(self.headers.get("Authorization")), flush=True)
        self.send_response(200)
        self.end_headers()
        self.wfile.write(b"ok")
    def log_message(self, fmt, *args):
        pass
HTTPServer(("127.0.0.1", 18080), H).serve_forever()
PY

cd /tmp/qoag-poc
mvn -q package -DskipTests
java -jar target/quarkus-app/quarkus-run.jar &
sleep 8
curl -s http://127.0.0.1:8081/trigger

# PATH=/repos/foo/bar
# AUTH=Bearer SECRET
```

### Impact

Clients generated from an OpenAPI specification can send authentication credentials to endpoints that were not intended to receive them. In practice, this can disclose bearer tokens, API keys, or basic credentials to lower-trust routes on the same service, cause public operations to be invoked with privileged credentials, and blur the intended security boundary between protected and unprotected operations.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-42333
reference_id
reference_type
scores
0
value 0.00218
scoring_system epss
scoring_elements 0.44506
published_at 2026-06-07T12:55:00Z
1
value 0.00218
scoring_system epss
scoring_elements 0.44483
published_at 2026-06-09T12:55:00Z
2
value 0.00218
scoring_system epss
scoring_elements 0.44471
published_at 2026-06-08T12:55:00Z
3
value 0.00218
scoring_system epss
scoring_elements 0.44527
published_at 2026-06-06T12:55:00Z
4
value 0.00218
scoring_system epss
scoring_elements 0.44519
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-42333
1
reference_url https://github.com/quarkiverse/quarkus-openapi-generator
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/quarkiverse/quarkus-openapi-generator
2
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/pull/1586
3
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.11.1-lts
4
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.16.0-lts
5
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/releases/tag/2.17.0
6
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-11T14:58:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-fr8f-rwjx-f32v
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-42333
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-42333
8
reference_url https://github.com/advisories/GHSA-fr8f-rwjx-f32v
reference_id GHSA-fr8f-rwjx-f32v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fr8f-rwjx-f32v
fixed_packages
0
url pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0-lts
purl pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0-lts
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0-lts
1
url pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.17.0
purl pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.17.0
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.17.0
aliases CVE-2026-42333, GHSA-fr8f-rwjx-f32v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dtfz-cu9w-h7e3
1
url VCID-nxrd-h3dz-w7fm
vulnerability_id VCID-nxrd-h3dz-w7fm
summary 
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class
### Summary
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension

### Details
The `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the destination is constructed as `new File(toOutputDir, entry.getName())` and the content is written immediately. A malicious ZIP archive containing entries with path traversal sequences (e.g., `../../malicious.java`) would write files outside the target directory.

The interesting thing is that the client module in the same repository already has the correct fix. `OpenApiGeneratorStreamCodeGen.java` at line 137 performs proper `normalize()` and `startsWith()` validation. The server module was simply missed.

### PoC
This vulnerability is exploitable when an attacker controls or can intercept the ZIP archive served by the Apicurio registry. In environments where the registry connection is over an untrusted network or where TLS is not properly configured, exploitation becomes practical. The attack occurs at build/codegen time.

1. Create a ZIP file containing an entry named `../../proof.txt` with arbitrary content
2. Configure quarkus-openapi-generator to use the server (Apicurio) code generation path
3. Serve the malicious ZIP from a controlled or MITM'd Apicurio registry endpoint
4. Trigger code generation
5. Observe that `proof.txt` is written two directories above the intended output


### Impact
An attacker who can serve a crafted ZIP to the code generation pipeline could write arbitrary files on the build machine. This could overwrite source files, inject malicious code into the build output, or modify configuration files. In CI/CD environments, this could lead to supply chain compromise.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-40180
reference_id
reference_type
scores
0
value 0.00096
scoring_system epss
scoring_elements 0.26561
published_at 2026-06-06T12:55:00Z
1
value 0.00096
scoring_system epss
scoring_elements 0.26468
published_at 2026-06-09T12:55:00Z
2
value 0.00096
scoring_system epss
scoring_elements 0.26463
published_at 2026-06-08T12:55:00Z
3
value 0.00096
scoring_system epss
scoring_elements 0.26519
published_at 2026-06-07T12:55:00Z
4
value 0.00096
scoring_system epss
scoring_elements 0.26571
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-40180
1
reference_url https://github.com/quarkiverse/quarkus-openapi-generator
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/quarkiverse/quarkus-openapi-generator
2
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:53:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/commit/08b406414ff30ed192e86c7fa924e57565534ff0
3
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:53:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/commit/e2a9c629a3df719abc74569a3795c265fd0e1239
4
reference_url https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value 7.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-13T20:53:43Z/
url https://github.com/quarkiverse/quarkus-openapi-generator/security/advisories/GHSA-jx2w-vp7f-456q
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-40180
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-40180
6
reference_url https://github.com/advisories/GHSA-jx2w-vp7f-456q
reference_id GHSA-jx2w-vp7f-456q
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jx2w-vp7f-456q
fixed_packages
0
url pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0
purl pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dtfz-cu9w-h7e3
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.16.0
aliases CVE-2026-40180, GHSA-jx2w-vp7f-456q
risk_score 3.5
exploitability 0.5
weighted_severity 6.9
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nxrd-h3dz-w7fm
Fixing_vulnerabilities
Risk_score3.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/io.quarkiverse.openapi.generator/quarkus-openapi-generator@2.2.13