CVE-2026-49451: OpenAPI.NET SDK Circular Schema Reference Causes Process Termination (CVSS 7.5 HIGH)
Per the NVD entry published June 30, CVE-2026-49451 affects Microsoft's OpenAPI.NET SDK from 2.0.0-preview11 until 2.7.5 and 3.5.4.
At a glance
- CVE-2026-49451 lets a small OpenAPI document with a circular schema reference crash processes via stack overflow in Microsoft.OpenApi.
- Affected versions run from 2.0.0-preview11 until 2.7.5 and 3.5.4, with fixes in 2.7.5 and 3.5.4.
- The vulnerability is rated CVSS 7.5 HIGH and confirmed across JSON and YAML reader paths.
VERDICT — CONFIRMED
A vulnerability in Microsoft's OpenAPI.NET SDK, tracked as CVE-2026-49451, allows a small OpenAPI document containing a circular schema reference to cause process termination through stack overflow, per the National Vulnerability Database entry published June 30. The flaw is rated CVSS 7.5 HIGH and is fixed in versions 2.7.5 and 3.5.4.
The defect sits in Microsoft.OpenApi and affects document parsing through the library's public reader APIs, with the crash condition confirmed across both the JSON and YAML paths, per the NVD entry. The affected range runs from version 2.0.0-preview11 until 2.7.5, with the 3.x line affected up to the 3.5.4 fix. Because the trigger is a malformed document rather than a privileged operation, any service that parses OpenAPI files supplied by users or third parties is exposed to a denial-of-service condition.
The scoring vector recorded against the entry — CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, submitted by GitHub, Inc. — describes a network-reachable flaw requiring no privileges or user interaction, with the impact confined to availability, per the NVD record. The weakness is classified as CWE-674, uncontrolled recursion, and the entry references GitHub security advisory GHSA-v5pm-xwqc-g5wc. The NVD listing was marked as awaiting enrichment at publication, with proof-of-concept exploitation noted as confirmed in the advisory material.
Background
OpenAPI.NET is Microsoft's library for reading, writing and manipulating OpenAPI descriptions in .NET applications. The OpenAPI Specification — formerly known as Swagger — is the dominant industry standard for describing REST APIs in machine-readable form, and libraries that parse such documents sit inside a wide range of developer tooling: API gateways, documentation generators, client-SDK builders and validation services, many of which routinely accept documents from outside their own trust boundary.
Circular references are a long-standing hazard for schema parsers. A document in which one schema refers to another that refers back to the first can drive a naive resolver into unbounded recursion, exhausting the call stack. Because stack overflows in .NET terminate the process rather than raising a catchable exception, the class of bug converts a small crafted file into a reliable crash — a pattern that has produced denial-of-service advisories across parser libraries in many ecosystems.
What comes next
The immediate remediation, per the NVD entry, is to update to version 2.7.5 or 3.5.4 depending on the release line in use. Teams that expose OpenAPI parsing to untrusted input would ordinarily prioritise the upgrade, and downstream tools that bundle Microsoft.OpenApi may issue their own point releases as the fix propagates. Fuller NVD analysis, including any revised scoring, would follow once the entry completes enrichment.
Key facts on file
- CVE-2026-49451 lets a small OpenAPI document with a circular schema reference crash processes via stack overflow in Microsoft.OpenApi.
- Affected versions run from 2.0.0-preview11 until 2.7.5 and 3.5.4, with fixes in 2.7.5 and 3.5.4.
- The vulnerability is rated CVSS 7.5 HIGH and confirmed across JSON and YAML reader paths.