Login Sign Up

CVE-2026-23947

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

Orval versions 7.19.0 through 8.0.2 contain a code injection vulnerability in the x-enumDescriptions field processing. Untrusted OpenAPI specifications can inject arbitrary TypeScript/JavaScript code into generated clients, leading to remote code execution. This affects any environment using Orval to generate clients from untrusted OpenAPI specifications.

💻 Affected Systems

Products:
  • Orval
Versions: Versions prior to 7.19.0 until 8.0.2
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in @orval/core module when processing OpenAPI specifications with x-enumDescriptions field.

📦 What is this software?

Orval by Orval

View all CVEs affecting Orval →

Orval by Orval

View all CVEs affecting Orval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on systems generating or using the compromised client code, potentially leading to complete system compromise.

🟠

Likely Case

Arbitrary code execution in development/build environments when processing malicious OpenAPI specifications.

🟢

If Mitigated

Limited impact if only trusted OpenAPI specifications are processed and proper input validation is in place.

🌐 Internet-Facing: MEDIUM - Exploitation requires processing untrusted OpenAPI specs, which may occur in CI/CD pipelines or automated systems.
🏢 Internal Only: MEDIUM - Internal development/build systems could be compromised if processing untrusted specifications.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires providing a malicious OpenAPI specification to Orval's client generation process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.19.0 and 8.0.2

Vendor Advisory: https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv

Restart Required: No

Instructions:

1. Update Orval to version 7.19.0 or 8.0.2. 2. Regenerate any previously generated clients from potentially untrusted OpenAPI specifications.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize all OpenAPI specifications before processing with Orval

Trusted Sources Only

all

Only process OpenAPI specifications from trusted, verified sources

🧯 If You Can't Patch

  • Implement strict input validation for all OpenAPI specifications
  • Isolate Orval client generation to sandboxed environments

🔍 How to Verify

Check if Vulnerable:

Check Orval version: if using version <7.19.0 or between 7.19.0 and 8.0.2 (excluding 8.0.2), you are vulnerable.

Check Version:

npm list orval

Verify Fix Applied:

Verify Orval version is 7.19.0 or 8.0.2, and regenerate any clients from potentially untrusted sources.

📡 Detection & Monitoring

Log Indicators:

  • Unusual code generation patterns
  • Suspicious content in x-enumDescriptions fields

Network Indicators:

  • Downloads of OpenAPI specifications from untrusted sources

SIEM Query:

Search for process execution from Orval client generation with suspicious parameters

📊 Metadata

CVE ID: CVE-2026-23947
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.1% exploit probability (28.1th percentile)
Published: January 20, 2026
Last Updated: February 27, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23947, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)