← All CVEs

CVE-2026-49451

HIGH 7.5

Published 2026-06-30 · Last modified 2026-06-30

The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.

ELEVATED IMPACT

Severe if exploited (CVSS 7.5), but no known exploitation and low modeled probability. Patch on a normal cadence.

Exploitation likelihood

0.7%chance of exploitation in 30 days · 48th percentile

○ In CISA KEV ○ Public exploit / PoC

Impact if exploited

7.5CVSS 3.1 · HIGH

  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityHigh

What an attacker needs

  • Access: Reachable over the network — no local access needed
  • Privileges: No account or privileges required
  • User interaction: No user interaction needed
  • Complexity: No special conditions — reliably repeatable

✓ lowers the bar for an attacker · ⚠ raises it

Affected

Vendors Microsoft

Products Openapi.Net

Weakness (CWE)

  • CWE-674

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Sources: NVD · CVE.org · EPSS