CVE-2026-23947 in orval
Summary
by MITRE • 01/20/2026
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/27/2026
The vulnerability identified as CVE-2026-23947 affects Orval, a tool designed to generate type-safe JavaScript clients from OpenAPI v3 and Swagger v2 specifications. This toolchain vulnerability represents a critical security risk in environments where generated clients are consumed, as it enables arbitrary code execution through the manipulation of OpenAPI specification files. The flaw exists in versions prior to 7.19.0 and up to 8.0.2, creating a window of exposure where systems processing untrusted API specifications become vulnerable to malicious code injection attacks. The vulnerability specifically targets the x-enumDescriptions field within OpenAPI specifications, which serves as an injection vector for malicious code that gets embedded directly into generated client code without proper sanitization or escaping mechanisms.
The technical implementation of this vulnerability occurs within the getEnumImplementation() function in the @orval/core module, where the x-enumDescriptions field is processed without adequate input validation or sanitization. This code path was distinct from the previously addressed CVE-2026-22785, making it an overlooked attack surface that allowed threat actors to inject arbitrary JavaScript code during the generation of const enum implementations. When an attacker crafts a malicious OpenAPI specification containing specially formatted x-enumDescriptions values, the generated TypeScript client code includes executable JavaScript that can be interpreted and executed by the consuming environment. This process transforms what should be a simple documentation extension into a code execution mechanism, fundamentally compromising the security boundaries of applications that rely on Orval-generated clients.
The operational impact of CVE-2026-23947 extends beyond simple code injection, as it can enable full compromise of systems that process or execute the generated client code. Attackers can leverage this vulnerability to execute arbitrary commands, access sensitive data, or perform privilege escalation within the context where the generated clients are used. The vulnerability particularly affects environments where API specifications are generated from untrusted sources, such as third-party vendors, public APIs, or collaborative development platforms. The attack surface is broad since Orval is commonly used in enterprise environments for API client generation, making numerous applications potentially vulnerable if they consume specifications from untrusted sources. Additionally, the vulnerability's similarity to CVE-2026-22785 demonstrates a pattern of oversight in addressing different code paths within the same software ecosystem, highlighting the importance of comprehensive security reviews across all code modules.
Security mitigations for CVE-2026-23947 primarily involve upgrading to Orval versions 7.19.0 or 8.0.2, which contain the necessary fixes for the x-enumDescriptions field processing. Organizations should implement strict input validation for all OpenAPI specifications consumed by their Orval toolchains, particularly focusing on enum-related fields and any extension properties that could potentially contain executable content. The fix addresses the core issue by properly escaping or sanitizing the x-enumDescriptions values during enum implementation generation, preventing malicious code from being embedded in the output client files. Security teams should also consider implementing runtime protections such as content security policies and sandboxing for environments that process potentially untrusted API specifications. From a compliance perspective, this vulnerability aligns with CWE-94, which addresses "Improper Control of Generation of Code ('Code Injection')" and reflects patterns commonly addressed by ATT&CK technique T1059.001 for executing malicious code through scripting languages. Organizations should conduct thorough audits of their API client generation processes and ensure that all dependencies are updated to patched versions to prevent exploitation of this and similar vulnerabilities.