CVE-2026-49451 | The OpenAPI.NET SDK contains a useful object model for OpenA… | CVSS 7.5 HIGH

Description

The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.

Metadata

CVE ID: CVE-2026-49451
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-30 02:43 UTC
Published: 2026-06-30 16:01 UTC
Last updated: 2026-06-30 18:58 UTC
Primary CWE: CWE-674
CWE-674: Uncontrolled Recursion
Vendor / Product: microsoft / OpenAPI.NET
Sources: cve.org · NVD

Severity & Metrics

7.5 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
microsoft	OpenAPI.NET	—	>= 2.0.0-preview11, < 2.7.5, >= 3.0.0, < 3.5.4

Weakness (CWE)

CWE	Source	Description
CWE-674	cna	CWE-674: Uncontrolled Recursion

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.5	HIGH	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (1)

https://github.com/microsoft/OpenAPI.NET/security/advisories/GHSA-v5pm-xwqc-g5wc https://github.com/microsoft/OpenAPI.NET/security/advisories/GHSA-v5pm-xwqc-g5wc