CVE-2026-49451: CWE-674: Uncontrolled Recursion in microsoft OpenAPI.NET
The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.
AI Analysis
Technical Summary
CVE-2026-49451 is an uncontrolled recursion vulnerability (CWE-674) in the Microsoft OpenAPI.NET SDK. When parsing OpenAPI documents containing circular schema references, the SDK's public reader APIs for both JSON and YAML can enter infinite recursion, causing a stack overflow and process crash. This affects versions starting from 2.0.0-preview11 up to but excluding 2.7.5 and 3.5.4. The vulnerability has a CVSS 3.1 base score of 7.5 (high severity) due to its network attack vector, low attack complexity, no privileges or user interaction required, and impact on availability only. The issue is resolved in versions 2.7.5 and 3.5.4.
Potential Impact
An attacker can cause a denial of service by supplying a crafted OpenAPI document with circular schema references, leading to a stack overflow and process termination. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade to Microsoft OpenAPI.NET SDK version 2.7.5 or later, or 3.5.4 or later, where the vulnerability is fixed. No other mitigations are specified. Patch status is confirmed by the vendor advisory indicating fixes in these versions.
CVE-2026-49451: CWE-674: Uncontrolled Recursion in microsoft OpenAPI.NET
Description
The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.
CVSS v3.1
Score 7.5high
Affected software
pkg:nuget/microsoft.openapi.netRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-49451 is an uncontrolled recursion vulnerability (CWE-674) in the Microsoft OpenAPI.NET SDK. When parsing OpenAPI documents containing circular schema references, the SDK's public reader APIs for both JSON and YAML can enter infinite recursion, causing a stack overflow and process crash. This affects versions starting from 2.0.0-preview11 up to but excluding 2.7.5 and 3.5.4. The vulnerability has a CVSS 3.1 base score of 7.5 (high severity) due to its network attack vector, low attack complexity, no privileges or user interaction required, and impact on availability only. The issue is resolved in versions 2.7.5 and 3.5.4.
Potential Impact
An attacker can cause a denial of service by supplying a crafted OpenAPI document with circular schema references, leading to a stack overflow and process termination. There is no impact on confidentiality or integrity, only availability is affected.
Mitigation Recommendations
Upgrade to Microsoft OpenAPI.NET SDK version 2.7.5 or later, or 3.5.4 or later, where the vulnerability is fixed. No other mitigations are specified. Patch status is confirmed by the vendor advisory indicating fixes in these versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-30T02:43:33.106Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43f42f27e9c79719185ed1
Added to database: 06/30/2026, 16:51:59 UTC
Last enriched: 06/30/2026, 17:08:05 UTC
Last updated: 06/30/2026, 23:56:56 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.