CVE-2026-32735 in openapi-to-java-records-mustache-templates-parent
Summary
by MITRE • 03/19/2026
openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project (`openapi-to-java-records-mustache-templates-parent`), which is used to centralize plugin configurations for multiple unit-test modules, uses `maven-dependency-plugin` to unpack arbitrary `.mustache` files from the `openapi-to-java-records-mustache-templates` artifact (of the same version). While this parent POM file is not intended for external use, it is published, and could be used by anyone, and does not follow the best security practices. The risk, is that if `openapi-to-java-records-mustache-templates` would be compromised, and malicious `.mustache` files were to be included in the resulting JAR/artifact, users would unpack these files automatically during a dependency update. This is addressed in the v3.5.1 release of `openapi-to-java-records-mustache-templates-parent`. It is strongly recommended NOT to use the parent POM for external use. The `openapi-to-java-records-mustache-templates` module is the center of this project, and surrounding modules and configurations are not intended for production-use. These only exist for testing purposes and maintainability.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
This vulnerability exists within the openapi-to-java-records-mustache-templates project ecosystem where a security flaw was discovered in the parent POM file version 5.1.1 through 5.5.0. The vulnerability stems from the maven-dependency-plugin's configuration which automatically unpacks arbitrary .mustache template files from the main artifact during dependency resolution. This represents a classic supply chain attack vector where malicious code could be silently executed when users update their dependencies. The flaw is categorized as a path traversal vulnerability under CWE-22 and falls under the attack pattern of malicious dependency injection in the MITRE ATT&CK framework. The issue is particularly concerning because the parent POM file, while not intended for external consumption, is published and accessible to all users who might inadvertently include it in their projects.
The technical implementation of this vulnerability relies on the maven-dependency-plugin's unpack functionality which operates without proper validation of source files. When users pull in the affected parent POM, the plugin automatically extracts .mustache template files from the openapi-to-java-records-mustache-templates artifact, creating an automatic execution environment for potentially malicious templates. This design violates fundamental security principles of least privilege and defense in depth. The vulnerability is particularly dangerous because it operates silently in the background during normal dependency resolution processes, making detection extremely difficult. The attack surface is widened by the fact that the parent POM is published and discoverable, making it accessible to anyone who might include it in their build configuration.
The operational impact of this vulnerability is significant as it allows for arbitrary code execution through template injection attacks. When compromised, the system could execute malicious code during normal build processes, potentially leading to complete system compromise. This vulnerability affects the entire Maven ecosystem that relies on this parent POM, particularly those using automated dependency management systems. The risk is elevated because the malicious .mustache files could contain code that executes during the build phase, potentially modifying the build environment or stealing sensitive information. The vulnerability also impacts organizations that use automated security scanning tools, as the malicious templates could bypass traditional security controls during dependency resolution.
Organizations should immediately remove the affected parent POM from their build configurations and upgrade to version 5.5.1 or later where the vulnerability has been patched. The recommended mitigation includes implementing strict dependency verification processes, using software composition analysis tools, and maintaining detailed inventories of all dependencies used in the build pipeline. Security teams should also implement network-level controls to prevent access to known vulnerable artifacts and establish policies against using unpublished or unverified parent POMs. The vulnerability highlights the importance of following secure coding practices in build tooling and demonstrates the critical need for proper artifact signing and verification mechanisms in software supply chain security. Organizations should also consider implementing dependency lock files and using tools like OWASP Dependency-Check to identify and remediate vulnerable components in their software supply chain.