Description
The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.
Published: 2026-06-30
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A circular reference within an OpenAPI document triggers a stack overflow in the OpenAPI.NET SDK, terminating the process that parses the document. This leads to a denial of service by crashing the application that relies on OpenAPI.NET. The flaw is an uncontrolled recursion flaw (CWE‑674).

Affected Systems

Microsoft OpenAPI.NET SDK is impacted. Versions from 2.0.0‑preview11 up through 2.7.5, and the 3.x line up to 3.5.4 are vulnerable. The vulnerability is fixed in 2.7.5 and 3.5.4 and any later releases.

Risk and Exploitability

The CVSS score of 7.5 reflects high severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that the target application use OpenAPI.NET to parse a supplied OpenAPI document; an attacker can supply a payload containing a circular schema reference. The attack does not require authentication or network access beyond the ability to deliver the document, and it causes a local denial of service by bringing the process crashing. Because the flaw stems from parsing logic, it is unlikely to escape beyond the affected process.

Generated by OpenCVE AI on June 30, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenAPI.NET SDK to version 2.7.5 or 3.5.4 or later.
  • Implement input validation to detect and reject circular schema references before passing documents to the OpenAPI.NET reader.
  • If an upgrade cannot be applied immediately, consider disabling OpenAPI document parsing until the patch is applied.

Generated by OpenCVE AI on June 30, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v5pm-xwqc-g5wc Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing
History

Tue, 30 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.
Title Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-30T18:58:34.623Z

Reserved: 2026-05-30T02:43:33.106Z

Link: CVE-2026-49451

cve-icon Vulnrichment

Updated: 2026-06-30T18:57:00.250Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T18:00:06Z

Weaknesses