CVE-2026-22785
Published: 12 January 2026
Summary
CVE-2026-22785 is a critical-severity Command Injection (CWE-77) vulnerability in Orval Orval. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely identification, reporting, and patching of flaws in development tools like orval directly remediates CVE-2026-22785 by upgrading to the fixed version 7.18.0.
Validating OpenAPI specification inputs such as the summary field before processing with orval prevents attackers from injecting arbitrary code via unescaped strings.
Authorizing and whitelisting only approved versions of software tools like orval (7.18.0+) restricts use of vulnerable instances prone to command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct command injection (CWE-77) into generated JS/TS output enables arbitrary code execution (T1059.007) on the victim system when processing attacker-supplied OpenAPI input; this is a client-side exploitation vector (T1203).
NVD Description
orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or…
more
escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.
Deeper analysisAI
CVE-2026-22785 is a critical vulnerability in orval, a tool that generates type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. In versions prior to 7.18.0, the MCP server generation logic performs string manipulation that directly incorporates the summary field from the OpenAPI specification without proper validation or escaping. This flaw enables attackers to break out of the intended string literal and inject arbitrary code, classified under CWE-77 (Command Injection) with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
The vulnerability can be exploited remotely by any unauthenticated attacker with network access, requiring low complexity and no user interaction. Exploitation occurs when a developer processes a malicious OpenAPI specification containing a crafted summary field during client or MCP server generation, leading to arbitrary code execution on the developer's system with the privileges of the orval process.
The GitHub security advisory (GHSA-mwr6-3gp8-9jmj) and fixing commit (80b5fe73b94f120a3a5561952d6d4b0f8d7e928d) confirm the issue is resolved in orval version 7.18.0 through proper validation and escaping of the summary field. Security practitioners should advise upgrading to 7.18.0 or later and recommend validating OpenAPI specifications from untrusted sources before processing.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp