CVE-2026-23947 is a critical command injection vulnerability (CWE-77) affecting orval, a popular tool used to generate type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. The vulnerability exists in versions prior to 7.19.0 and between 8.0.0-rc.0 and 8.0.2. The root cause is improper neutralization of special elements in the x-enumDescriptions field within OpenAPI specifications. Orval embeds this field directly into the generated TypeScript code in the getEnumImplementation() function without proper escaping or sanitization. This allows an attacker who can supply or influence the OpenAPI specification to inject arbitrary TypeScript/JavaScript code that executes when the generated client code is run. The injection occurs specifically during the generation of const enums, resulting in executable code embedded in the generated schema files. This vulnerability is similar in nature to CVE-2026-22785 but affects a different code path in the @orval/core package that was not covered by the previous fix. Exploitation requires no authentication or user interaction and can lead to full arbitrary code execution in the environment where the generated client is used, potentially compromising confidentiality, integrity, and availability. Although no known exploits are reported in the wild, the high CVSS 9.3 score reflects the critical severity and ease of exploitation. The issue was publicly disclosed on January 20, 2026, and fixed in orval versions 7.19.0 and 8.0.2. Organizations using orval to generate API clients from untrusted or external OpenAPI specs should urgently upgrade and validate inputs to prevent exploitation.

For European organizations, the impact of CVE-2026-23947 can be severe, especially for those involved in software development, API integration, and microservices architectures that rely on orval-generated clients. Exploitation can lead to arbitrary code execution within development or runtime environments, potentially allowing attackers to execute malicious payloads, steal sensitive data, manipulate API interactions, or disrupt services. This can compromise the confidentiality, integrity, and availability of critical systems and data. Since orval-generated clients are often embedded in internal or external-facing applications, the vulnerability could be leveraged to pivot into broader network environments or supply chain attacks. The lack of authentication or user interaction requirements increases the risk of automated exploitation if untrusted OpenAPI specs are consumed. European organizations handling sensitive data under GDPR may face regulatory and reputational consequences if exploited. The threat is particularly relevant for sectors with high API usage such as finance, healthcare, telecommunications, and government services.

1. Immediately upgrade orval to version 7.19.0 or 8.0.2 or later, where the vulnerability is fixed. 2. Implement strict validation and sanitization of all OpenAPI specifications before feeding them into orval, especially those obtained from external or untrusted sources. 3. Establish a policy to only consume OpenAPI specs from trusted and verified providers. 4. Use static code analysis tools to scan generated client code for suspicious or injected code patterns. 5. Integrate security checks into CI/CD pipelines to detect unsafe OpenAPI specs or vulnerable orval versions. 6. Isolate environments where generated clients run to limit the blast radius of potential code execution. 7. Monitor runtime environments for anomalous behavior indicative of exploitation attempts. 8. Educate development teams about the risks of consuming untrusted API specifications and secure coding practices related to code generation tools.