Advisory Database
  • Advisories
  • Dependency Scanning
  1. nuget
  2. ›
  3. Microsoft.OpenAPI
  4. ›
  5. CVE-2026-49451

CVE-2026-49451: Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing

June 30, 2026

A small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths.

Applications, CLIs, developer tools, or services that parse untrusted OpenAPI documents in-process may be terminated by a crafted OpenAPI document containing circular schema references.

The impact is availability/process termination only. This report does not claim remote code execution, authentication bypass, credential exposure, privilege escalation, data exposure, or Microsoft hosted service impact.

References

  • github.com/advisories/GHSA-v5pm-xwqc-g5wc
  • github.com/microsoft/OpenAPI.NET/security/advisories/GHSA-v5pm-xwqc-g5wc
  • nvd.nist.gov/vuln/detail/CVE-2026-49451

Code Behaviors & Features

Detect and mitigate CVE-2026-49451 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions starting from 2.0.0-preview11 before 2.7.5, all versions starting from 3.0.0 before 3.5.4

Fixed versions

  • 2.7.5
  • 3.5.4

Solution

Upgrade to versions 2.7.5, 3.5.4 or above.

Impact 7.5 HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Learn more about CVSS

Weakness

  • CWE-674: Uncontrolled Recursion

Source file

nuget/Microsoft.OpenAPI/CVE-2026-49451.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Sun, 05 Jul 2026 00:18:28 +0000.