Skip to main content

Microsoft.OpenApi EUVDEUVD-2026-40365

| CVE-2026-49451 HIGH
Uncontrolled Recursion (CWE-674)
2026-06-30 https://github.com/microsoft/OpenAPI.NET GHSA-v5pm-xwqc-g5wc
7.5
CVSS 3.1 · Vendor: https://github.com/microsoft/OpenAPI.NET
Share

Severity by source

Vendor (https://github.com/microsoft/OpenAPI.NET) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Network-deliverable document with trivial deterministic payload (AV:N/AC:L/PR:N/UI:N); availability-only process crash gives A:H with C:N/I:N and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/microsoft/OpenAPI.NET).

CVSS VectorVendor: https://github.com/microsoft/OpenAPI.NET

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jun 30, 2026 - 18:01 EUVD
Analysis Generated
Jun 30, 2026 - 16:20 vuln.today
CVE Published
Jun 30, 2026 - 15:56 github-advisory
HIGH 7.5

DescriptionCVE.org

Impact

A small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths.

Affected versions

  • >= 2.0.0-preview11, <= 2.7.4
  • >= 3.0.0, <= 3.5.3

Patches

  • For the 2.X major version, versions 2.7.5 and above are patched.
  • For the 3.X major version, versions 3.5.4 and above are patched.
  • For the 1.X major version, the issue does not apply since that version of the library *could not* resolve references that pointed to another reference.

Impact

Applications, CLIs, developer tools, or services that parse untrusted OpenAPI documents in-process may be terminated by a crafted OpenAPI document containing circular schema references.

The impact is availability/process termination only. This report does not claim remote code execution, authentication bypass, credential exposure, privilege escalation, data exposure, or Microsoft hosted service impact.

Details

A standalone isolated-process harness confirmed repeatable process termination through public OpenAPI.NET reader APIs. The issue reproduces in the affected released NuGet packages and affects both JSON and YAML reader paths.

A separate Microsoft-owned local consumer, microsoft/kiota, also reproduces the termination through the kiota show --openapi <file> workflow. That workflow parses OpenAPI files in-process using Microsoft.OpenApi and Microsoft.OpenApi.YamlReader.

Example payload

json
{
    "openapi": "3.0.0",
    "info": {
        "title": "Test",
        "version": "0.0.1"
    },
    "paths": {},
    "components": {
        "schemas": {
            "A": {
                "$ref": "#/components/schemas/B"
            },
            "B": {
                "$ref": "#/components/schemas/A"
            }
        }
    }
}

Remediation

Users should upgrade to Microsoft.OpenApi 2.7.5 or 3.5.4, depending on the major version line they consume.

Applications that parse OpenAPI documents from untrusted sources should avoid parsing those documents in the primary application process when possible. Running parsing in an isolated process can reduce the blast radius of parser failures.

AnalysisAI

Denial of service in the Microsoft.OpenApi (OpenAPI.NET) .NET library lets a crafted OpenAPI document with circular schema $ref references crash the host process via stack overflow (CWE-674, uncontrolled recursion). Any .NET application, CLI, developer tool, or service that parses untrusted OpenAPI documents in-process through the public reader APIs is affected across both JSON and YAML reader paths, including Microsoft's own kiota tool. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify service that parses uploaded OpenAPI specs
Delivery
Craft document with circular A↔B $ref
Exploit
Submit document to reader API
Execution
Trigger unbounded recursion in resolver
Persist
Stack overflow terminates process
Impact
Denial of service

Vulnerability AssessmentAI

Exploitation The vulnerable application must parse an attacker-supplied OpenAPI document in-process through the public OpenAPI.NET reader APIs (JSON or YAML reader path) using an affected version (2.0.0-preview11-2.7.4 or 3.0.0-3.5.3). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely consistent in direction but modest in real-world severity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a small crafted OpenAPI/Swagger document - for example, schemas A and B that $ref each other - to a service, CLI, or developer tool that parses uploaded OpenAPI specs in-process using Microsoft.OpenApi. Parsing recurses without bound, overflows the stack, and terminates the process, denying service to all users of that instance. …
Remediation Vendor-released patch: upgrade Microsoft.OpenApi to 2.7.5 or later on the 2.x line, or to 3.5.4 or later on the 3.x line, matching whichever major version your project consumes; rebuild and redeploy downstream consumers such as kiota against the patched package. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all .NET applications using Microsoft.OpenApi and identify services that accept external OpenAPI documents; implement immediate upload restrictions where operationally feasible. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy