CVE-2026-23947
Unknown Unknown - Not Provided
Arbitrary Code Execution in Orval Clients via x-enumDescriptions Injection

Publication date: 2026-01-20

Last updated on: 2026-02-27

Assigner: GitHub, Inc.

Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.10.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 8.0.2 contains a fix for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-27
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23947
EUVD
EUVD-2026-3590
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
orval orval to 7.19.0 (exc)
orval orval From 8.0.0 (inc) to 8.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-23947 is a critical code injection vulnerability in the @orval/core npm package versions 7.10.0 through 8.0.2. It occurs because the x-enumDescriptions field in OpenAPI specifications is embedded without proper escaping in the getEnumImplementation() function during the generation of TypeScript const enums. This allows an attacker to inject arbitrary TypeScript or JavaScript code into the generated client code, which then executes in environments consuming these clients. The vulnerability is similar to CVE-2026-22785 but affects a different code path. It has been fixed in version 8.0.2. [2]

Impact Analysis

This vulnerability can lead to arbitrary code execution in any environment that consumes the generated clients from Orval versions 7.10.0 to 8.0.2. If an attacker provides a malicious OpenAPI specification with crafted x-enumDescriptions, they can execute arbitrary TypeScript or JavaScript code within the generated client code. This can compromise the security of the system using the client, potentially leading to unauthorized actions, data breaches, or system compromise. [2]

Detection Guidance

This vulnerability can be detected by inspecting generated client code for the presence of unsanitized or suspicious code injected via the x-enumDescriptions field in enum implementations. Specifically, look for const enum implementations in generated schema files that contain unexpected JavaScript or TypeScript code. Since the vulnerability involves code injection during client generation, scanning generated files for suspicious patterns such as embedded require calls or execSync usage may help detect exploitation. There are no specific network commands provided to detect this vulnerability. [2]

Mitigation Strategies

The immediate mitigation step is to upgrade the @orval/core package to version 8.0.2 or later, where the vulnerability has been fixed. This update properly escapes x-enum values and prevents arbitrary code injection during enum generation. Avoid using untrusted OpenAPI specifications with vulnerable versions until the upgrade is applied. [2, 1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23947. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart