CVE-2026-1990 - Vulnerability Details

- oatpp Type.hpp ObjectWrapper null pointer dereference

Description

A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Published: 2026-02-06

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A null pointer dereference has been identified in the oatpp::data::type::ObjectWrapper constructor. The flaw can be triggered by supplying a null value to the constructor, leading to an application crash. The crash can disrupt service availability, effectively causing a denial‑of‑service condition. The vulnerability is a classic example of a null pointer dereference (CWE‑476) that, while not escalating privileges, compromises integrity of service continuity.

Affected Systems

The affected product is oatpp, with versions up to and including 1.3.1 vulnerable. No other vendors or product lines are listed. If you are running oatpp in any capacity, verify your installed version and whether your deployment may encounter the null‑pointer scenario highlighted in Type.hpp.

Risk and Exploitability

The CVSS score of 4.8 signals moderate severity, and the EPSS score of less than 1% indicates a very low probability of widespread exploitation. The flaw requires local access and does not feature in the CISA KEV catalog, meaning no confirmed public exploits are known. An attacker with local privileges could invoke the vulnerable constructor and cause the application to crash, but remote exploitation or privilege escalation is not supported by the current data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

oatpp

affected

Version	Status	Constraints
`1.3.0`	affected	—
`1.3.1`	affected	—

No data.

Vendor	Product	Confidence	Versions
Oatpp	Oatpp	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade oatpp to a release newer than 1.3.1 as soon as a fix is available. If an official patch is not yet released, review any available community patches or pull requests and apply them after testing.
Implement defensive programming by adding explicit null checks around calls to ObjectWrapper, ensuring that a null value never reaches the constructor. This prevents the crash in the current code base.
Stay informed of vendor announcements and security advisories; apply any subsequent patches promptly and monitor the application for stability after updates.

Generated by OpenCVE AI on April 17, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00007.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/oatpp/oatpp/
https://github.com/oatpp/oatpp/issues/1080
https://github.com/oatpp/oatpp/issues/1080#issue-3806715350
https://vuldb.com/?ctiid.344508
https://vuldb.com/?id.344508
https://vuldb.com/?submit.743387

History

Fri, 06 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 06 Feb 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oatpp Oatpp oatpp
Vendors & Products		Oatpp Oatpp oatpp

Fri, 06 Feb 2026 05:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
Title		oatpp Type.hpp ObjectWrapper null pointer dereference
Weaknesses		CWE-404 CWE-476
References		https://github.com/oatpp/oatpp/ https://github.com/oatpp/oatpp/issues/1080 https://github.com/oatpp/oatpp/issues/1080#issue-3806715350 https://vuldb.com/?ctiid.344508 https://vuldb.com/?id.344508 https://vuldb.com/?submit.743387
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Oatpp Oatpp

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-06T05:02:08.766Z

Updated: 2026-02-23T09:21:33.410Z

Reserved: 2026-02-05T15:39:58.228Z

Link: CVE-2026-1990

Vulnrichment

Updated: 2026-02-06T20:25:42.647Z

NVD

Status : Deferred

Published: 2026-02-06T05:16:12.920

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1990

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T23:00:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object