CVE-2026-49451
Received Received - Intake

Stack Overflow in OpenAPI.NET SDK Parsing

Publication date: 2026-06-30

Last updated on: 2026-06-30

Assigner: GitHub, Inc.

Description
The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-30
Last Modified
2026-06-30
Generated
2026-06-30
AI Q&A
2026-06-30
EPSS Evaluated
N/A
NVD
CVE-2026-49451
EUVD
EUVD-2026-40365

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
microsoft openapi.net From 2.0.0-preview11 (inc) to 2.7.5 (exc)
microsoft openapi.net From 3.0.0 (inc) to 3.5.4 (exc)
microsoft openapi.net 2.7.5
microsoft openapi.net 3.5.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-49451 is a vulnerability in the Microsoft.OpenAPI.NET library where a small OpenAPI document containing a circular schema reference can cause the process to terminate due to a stack overflow.

This happens during the parsing of OpenAPI documents through the public reader APIs and affects both JSON and YAML formats.

The vulnerability exists in versions from 2.0.0-preview11 up to 2.7.4 and 3.0.0 up to 3.5.3, and it is fixed in versions 2.7.5 and 3.5.4.

Impact Analysis

This vulnerability can cause applications that parse OpenAPI documents using the affected Microsoft.OpenAPI.NET versions to terminate unexpectedly due to a stack overflow triggered by circular schema references.

The primary impact is loss of availability, meaning the application or service may crash or stop functioning when processing crafted OpenAPI documents.

It does not lead to remote code execution, authentication bypass, or data exposure.

Detection Guidance

This vulnerability manifests as process termination due to stack overflow when parsing OpenAPI documents containing circular schema references using Microsoft.OpenAPI.NET versions 2.0.0-preview11 to 2.7.4 and 3.0.0 to 3.5.3.

Detection involves monitoring for unexpected crashes or process terminations of applications using the affected Microsoft.OpenAPI.NET library when processing OpenAPI JSON or YAML documents.

There are no specific commands provided to detect this vulnerability directly. However, you can:

  • Check application logs for crashes or stack overflow errors related to OpenAPI document parsing.
  • Use process monitoring tools (e.g., Windows Event Viewer, Linux system logs) to identify abnormal termination of processes using Microsoft.OpenAPI.NET.
  • Audit the versions of Microsoft.OpenAPI.NET in use to identify if they fall within the vulnerable ranges.
  • Review OpenAPI documents being parsed for circular schema references that could trigger the vulnerability.
Mitigation Strategies

Immediate mitigation steps include upgrading Microsoft.OpenAPI.NET to patched versions 2.7.5 or 3.5.4 where the vulnerability is fixed.

Avoid parsing untrusted OpenAPI documents in the primary process to prevent process termination.

Instead, parse untrusted documents in isolated or sandboxed processes to contain potential crashes.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-49451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart