CVE-2026-33331 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the middleapi orpc tool, which facilitates building end-to-end type-safe APIs compliant with OpenAPI standards. The vulnerability exists in versions prior to 1.13.9 within the OpenAPI documentation generation component. Specifically, if an attacker can manipulate any field in the OpenAPI specification—such as the info.description field—they can inject payloads that break out of the JSON context used in the documentation rendering. This leads to arbitrary JavaScript execution when a user accesses the generated API documentation page. The vulnerability does not require authentication but does require the victim to view the compromised documentation, making it a stored XSS vector. The impact primarily affects confidentiality by enabling theft of session tokens, credentials, or other sensitive data accessible in the browser context. Integrity impact is low as the attack does not alter backend data, and availability is unaffected. The vulnerability has been addressed in version 1.13.9 by properly sanitizing and encoding user-controlled inputs before embedding them in the documentation. No known exploits are currently observed in the wild, but the high CVSS score of 8.2 reflects the ease of exploitation and potential impact. Organizations using orpc should prioritize upgrading and auditing their OpenAPI specifications to prevent injection of malicious content.

The primary impact of this vulnerability is on the confidentiality of users interacting with the API documentation generated by orpc. Attackers can execute arbitrary JavaScript in the context of the documentation page, potentially stealing authentication tokens, cookies, or other sensitive information accessible via the browser. This can lead to account compromise or unauthorized access to internal systems if the documentation is accessed by privileged users. The integrity of backend systems is minimally affected since the attack vector is client-side script execution without direct backend modification. Availability is not impacted. However, the scope of affected systems includes any organization using orpc versions prior to 1.13.9 to generate OpenAPI documentation, especially those exposing documentation to external or untrusted users. The vulnerability could be leveraged in targeted attacks against developers, API consumers, or internal teams relying on orpc-generated documentation, potentially facilitating further attacks within the organization’s infrastructure.

1. Upgrade all instances of middleapi orpc to version 1.13.9 or later, where the vulnerability has been patched. 2. Implement strict validation and sanitization of all fields in the OpenAPI specification, especially those that can be user-controlled or externally sourced, to prevent injection of malicious scripts. 3. Restrict access to API documentation to trusted users only, using authentication and authorization controls, to reduce exposure to potential attackers. 4. Employ Content Security Policy (CSP) headers on the documentation hosting environment to limit the execution of unauthorized scripts. 5. Regularly audit and review OpenAPI specifications for suspicious or unexpected content before publishing documentation. 6. Educate developers and API consumers about the risks of XSS in API documentation and encourage safe browsing practices. 7. Monitor logs and user reports for signs of suspicious activity related to API documentation access. 8. Consider isolating API documentation in sandboxed environments or separate domains to limit the impact of any potential XSS exploitation.