CVE-2026-23947 is a command injection vulnerability classified under CWE-77 affecting the orval tool, which generates type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. Versions 7.10.0 through 8.0.1 are vulnerable due to improper neutralization of special elements in the x-enumDescriptions field. This field is embedded directly into the generated client code within the getEnumImplementation() function without proper escaping or sanitization, allowing an attacker to inject arbitrary TypeScript or JavaScript code. The injection occurs during the generation of const enums, resulting in executable code being embedded in the generated schema files. This vulnerability is similar in nature to CVE-2026-22785 but affects a different code path in the @orval/core package that was not addressed by the previous fix. Exploitation requires supplying a malicious OpenAPI specification to the orval client generator, which then produces compromised client code. When this client code is executed in the consuming environment, the injected code runs with the privileges of the host process, potentially leading to arbitrary code execution, data compromise, or system disruption. The vulnerability is exploitable remotely without authentication or user interaction, as the attack vector is the ingestion of crafted OpenAPI specs. The issue was fixed in orval version 8.0.2 by properly escaping or sanitizing the x-enumDescriptions field during code generation. No known exploits are reported in the wild as of the publication date. The CVSS 4.0 score of 8.9 reflects the vulnerability's high impact on confidentiality, integrity, and availability, combined with its ease of exploitation over the network without privileges or user interaction.

For European organizations, the impact of CVE-2026-23947 can be significant, particularly for those relying on orval to generate API clients from third-party or external OpenAPI specifications. Exploitation can lead to arbitrary code execution within development, testing, or production environments where the generated clients are used. This can compromise sensitive data, allow attackers to pivot within internal networks, or disrupt critical services. Organizations in sectors such as software development, cloud services, fintech, and any API-driven business are at heightened risk. The vulnerability undermines the trustworthiness of generated client code, potentially leading to supply chain risks if malicious OpenAPI specs are introduced via compromised repositories or third-party integrations. Given the ease of exploitation and the lack of required authentication, attackers can remotely target vulnerable environments by submitting crafted OpenAPI specs. This elevates the risk of widespread impact across European companies that integrate orval-generated clients into their software stacks. Additionally, the vulnerability could be leveraged in targeted attacks against strategic industries or government entities that rely on automated API client generation.

The primary mitigation is to upgrade all instances of orval to version 8.0.2 or later, where the vulnerability has been fixed by proper escaping of the x-enumDescriptions field. Organizations should implement strict validation and sanitization of all OpenAPI specifications before feeding them into orval or any client generation tool to prevent injection of malicious code. Establishing a trusted source policy for OpenAPI specs and using cryptographic verification or signatures can reduce the risk of supply chain attacks. Incorporate static code analysis and security scanning of generated client code to detect suspicious or unexpected code patterns. Limit the execution privileges of environments running generated clients to minimize impact if exploitation occurs. Educate developers and DevOps teams about the risks of consuming untrusted API specifications and enforce secure development lifecycle practices. Monitor for unusual behavior in environments where orval-generated clients are deployed. Finally, maintain an inventory of affected orval versions across the organization to ensure timely patching.