AutoMapper is a widely used convention-based object-to-object mapping library in the .NET ecosystem, designed to simplify the transformation of data between different object models. CVE-2026-32933 identifies a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting AutoMapper versions prior to 15.1.1 and between 16.0.0 and 16.1.1. The root cause is the library's recursive approach to mapping deeply nested object graphs without enforcing a maximum recursion depth limit. When an attacker supplies a specially crafted object graph with excessive nesting, the recursive calls exhaust the thread's stack memory, resulting in a StackOverflowException. This exception causes the entire application process to terminate abruptly, leading to a Denial of Service (DoS) condition. The vulnerability does not impact confidentiality or integrity but severely affects availability. Exploitation requires no privileges or user interaction and can be triggered remotely if the application processes untrusted input through AutoMapper. The issue is resolved in versions 15.1.1 and 16.1.1 by introducing recursion depth limits or other safeguards to prevent stack exhaustion. No known exploits are currently reported in the wild, but the vulnerability's nature and ease of exploitation make it a significant risk for affected applications.

The primary impact of CVE-2026-32933 is a Denial of Service condition caused by application crashes due to stack overflow. Organizations using vulnerable AutoMapper versions in their .NET applications may experience unexpected service outages, degraded user experience, and potential cascading failures if critical services depend on the affected components. This can disrupt business operations, especially for web applications, APIs, and backend services that rely on AutoMapper for data transformation. The vulnerability does not expose sensitive data or allow unauthorized code execution, but the loss of availability can have severe operational and reputational consequences. Enterprises with high-availability requirements or those operating in regulated industries may face compliance risks if service disruptions occur. Additionally, attackers could leverage this vulnerability as part of a broader attack chain to cause disruption or distract security teams.

To mitigate CVE-2026-32933, organizations should immediately upgrade AutoMapper to versions 15.1.1 or 16.1.1, where the vulnerability is fixed. If upgrading is not immediately feasible, implement input validation and sanitization to restrict the depth and complexity of object graphs processed by AutoMapper, thereby preventing excessive recursion. Developers should audit application code to identify all usage points of AutoMapper and ensure that untrusted or user-supplied data is not mapped without validation. Employ runtime monitoring and alerting for StackOverflowException or application crashes to detect potential exploitation attempts. Consider implementing circuit breakers or fallback mechanisms to maintain service availability during failures. Finally, maintain an inventory of .NET dependencies and apply timely patch management practices to reduce exposure to similar vulnerabilities.