Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue.
Published: 2026-01-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

A malicious OpenAPI specification that contains an unsanitized x-enumDescriptions field can inject executable TypeScript or JavaScript into the output of Orval’s client generation. The injected code is emitted directly in the generated enum implementation files, allowing an attacker to execute arbitrary instructions when the generated client is used. This flaw is rooted in improper input handling—specifically command injection (CWE‑77) and code execution via unsanitized dynamic code (CWE‑94). The primary impact is code execution in any environment that consumes the vulnerable client code.

Affected Systems

The vulnerability affects orval-labs’ Orval product, specifically versions older than 7.19.0 and any releases before 8.0.2. 7.19.0 and 8.0.2 contain the fix, so any system using a version older than these fixed releases is susceptible.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as a high‑severity vulnerability. EPSS indicates a very low exploitation probability (<1%), and it is currently not listed in CISA’s KEV catalog. However, the attack requires an attacker to supply a crafted OpenAPI spec to the Orval build process, which typically occurs in continuous integration pipelines or build scripts. If such a spec is executed, the attacker could gain arbitrary code execution within the build environment or any host that interprets the generated client.

Generated by OpenCVE AI on April 18, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Orval to version 7.19.0 or later (including 8.0.2) to apply the vendor patch
  • Disable or thoroughly sanitize the use of the x-enumDescriptions field in OpenAPI specifications before feeding them to Orval
  • Implement integrity checks in CI pipelines to detect unexpected code or modifications in generated client files
  • Review and audit generated TypeScript/JavaScript files for injected malicious code before deployment

Generated by OpenCVE AI on April 18, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h526-wf6g-67jv Orval has a code injection via unsanitized x-enum-descriptions in enum generation
History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Orval
Orval orval
Weaknesses CWE-94
CPEs cpe:2.3:a:orval:orval:*:*:*:*:*:*:*:*
Vendors & Products Orval
Orval orval
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Wed, 21 Jan 2026 17:30:00 +0000

Type Values Removed Values Added
Description Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.10.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 8.0.2 contains a fix for the issue. Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue.

Tue, 20 Jan 2026 19:45:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

 cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Tue, 20 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Orval-labs
Orval-labs orval
Vendors & Products Orval-labs
Orval-labs orval

Tue, 20 Jan 2026 00:45:00 +0000

Type Values Removed Values Added
Description Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.10.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 8.0.2 contains a fix for the issue.
Title Orval MCP client is vulnerable to code injection via unsanitized x-enum-descriptions in enum generation
Weaknesses CWE-77
References
Metrics cvssV4_0

{'score': 8.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Orval Orval
Orval-labs Orval
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-21T17:09:11.690Z

Reserved: 2026-01-19T14:49:06.311Z

Link: CVE-2026-23947

cve-icon Vulnrichment

Updated: 2026-01-20T17:04:35.402Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-20T01:15:57.583

Modified: 2026-02-27T19:05:08.470

Link: CVE-2026-23947

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses