CVE-2026-24132 – Orval versions 7.19.0 and below and 8.0.0-rc.0 ... (How to Fix)

Q: What is the severity of CVE-2026-24132?

CVE-2026-24132 has a CVSS score of 9.8 (CRITICAL). Orval versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 contain a code injection vulnerability where untrusted OpenAPI specifications can inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. This allows attackers to execute arbitrary code in the context of the application generating the mock files. Developers and organizations using Orval to generate client code from untrusted OpenAPI specifications are affected.

📋 TL;DR

Orval versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 contain a code injection vulnerability where untrusted OpenAPI specifications can inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. This allows attackers to execute arbitrary code in the context of the application generating the mock files. Developers and organizations using Orval to generate client code from untrusted OpenAPI specifications are affected.

💻 Affected Systems

Products:

Orval

Versions: 7.19.0 and below, 8.0.0-rc.0 through 8.0.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who generate mock files from OpenAPI specifications containing const properties. The vulnerability is present in the default configuration when processing untrusted specs.

📦 What is this software?

Orval by Orval

View all CVEs affecting Orval →

Orval by Orval

View all CVEs affecting Orval →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution on the system running Orval, potentially leading to complete system compromise, data theft, or lateral movement within the environment.

🟠

Likely Case

Arbitrary code execution during development/build processes, potentially compromising CI/CD pipelines, stealing credentials, or injecting malicious code into production artifacts.

🟢

If Mitigated

No impact if only trusted OpenAPI specifications are processed or if the vulnerable versions are not used.

🌐 Internet-Facing: MEDIUM - While Orval itself is typically a development tool, if integrated into internet-facing build systems or services that process user-provided OpenAPI specs, risk increases significantly.

🏢 Internal Only: HIGH - Development environments, CI/CD pipelines, and internal build systems using vulnerable Orval versions are at significant risk from malicious internal actors or compromised dependencies.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires an attacker to provide a malicious OpenAPI specification containing const properties with JavaScript/TypeScript code. No authentication is needed if the system processes untrusted specs.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.20.0 and 8.0.3

Vendor Advisory: https://github.com/orval-labs/orval/security/advisories

Restart Required: No

Instructions:

1. Update Orval to version 7.20.0 or higher if using the 7.x series. 2. Update Orval to version 8.0.3 or higher if using the 8.x series. 3. Run 'npm update orval' or 'yarn upgrade orval' depending on your package manager. 4. Regenerate any previously generated mock files to ensure they don't contain malicious code.

🔧 Temporary Workarounds

Disable mock generation

all

Temporarily disable mock file generation in Orval configuration until patched.

Set 'mock' option to false in orval.config.js or remove mock-related configuration

Validate OpenAPI specifications

all

Implement strict validation of OpenAPI specifications before processing with Orval, rejecting specs containing const properties with suspicious values.

🧯 If You Can't Patch

Only process OpenAPI specifications from trusted sources and implement strict input validation
Isolate Orval execution in sandboxed environments or containers with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check package.json for Orval version: if version is ≤7.19.0 or between 8.0.0-rc.0 and 8.0.2, you are vulnerable.

Check Version:

npm list orval or yarn list orval or check package.json

Verify Fix Applied:

Verify Orval version is ≥7.20.0 or ≥8.0.3 after update. Test with a sample OpenAPI spec containing const properties to ensure code is properly escaped.

📡 Detection & Monitoring

Log Indicators:

Unexpected process execution during mock generation
Errors in TypeScript compilation of generated mock files
Unusual network connections from build processes

Network Indicators:

Outbound connections from CI/CD systems to unexpected destinations during build processes

SIEM Query:

Process execution where command contains 'orval' AND (parent process is 'node' OR 'npm' OR 'yarn')

📊 Metadata

CVE ID: CVE-2026-24132

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.09% exploit probability (26.5th percentile)

Published: January 23, 2026

Last Updated: February 27, 2026

🔗 References

https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5 Patch
https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06 Patch
https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62 Patch
https://github.com/orval-labs/orval/pull/2828 Issue Tracking,Patch
https://github.com/orval-labs/orval/pull/2829 Issue Tracking,Patch
https://github.com/orval-labs/orval/pull/2830 Issue Tracking,Patch
https://github.com/orval-labs/orval/releases/tag/v7.20.0 Product,Release Notes
https://github.com/orval-labs/orval/releases/tag/v8.0.3 Product,Release Notes
https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24132, you might also want to check these: