CVE-2026-23947
Arbitrary Code Execution in Orval Clients via x-enumDescriptions Injection
Publication date: 2026-01-20
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| orval | orval | to 7.19.0 (exc) |
| orval | orval | From 8.0.0 (inc) to 8.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23947 is a critical code injection vulnerability in the @orval/core npm package versions 7.10.0 through 8.0.2. It occurs because the x-enumDescriptions field in OpenAPI specifications is embedded without proper escaping in the getEnumImplementation() function during the generation of TypeScript const enums. This allows an attacker to inject arbitrary TypeScript or JavaScript code into the generated client code, which then executes in environments consuming these clients. The vulnerability is similar to CVE-2026-22785 but affects a different code path. It has been fixed in version 8.0.2. [2]
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution in any environment that consumes the generated clients from Orval versions 7.10.0 to 8.0.2. If an attacker provides a malicious OpenAPI specification with crafted x-enumDescriptions, they can execute arbitrary TypeScript or JavaScript code within the generated client code. This can compromise the security of the system using the client, potentially leading to unauthorized actions, data breaches, or system compromise. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting generated client code for the presence of unsanitized or suspicious code injected via the x-enumDescriptions field in enum implementations. Specifically, look for const enum implementations in generated schema files that contain unexpected JavaScript or TypeScript code. Since the vulnerability involves code injection during client generation, scanning generated files for suspicious patterns such as embedded require calls or execSync usage may help detect exploitation. There are no specific network commands provided to detect this vulnerability. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the @orval/core package to version 8.0.2 or later, where the vulnerability has been fixed. This update properly escapes x-enum values and prevents arbitrary code injection during enum generation. Avoid using untrusted OpenAPI specifications with vulnerable versions until the upgrade is applied. [2, 1]