CVE-2026-23947
Published: 20 January 2026
Summary
CVE-2026-23947 is a critical-severity Command Injection (CWE-77) vulnerability in Orval Orval. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2026-23947 by requiring organizations to monitor for and apply patches to vulnerable Orval versions, such as upgrading to 7.19.0 or 8.0.2.
Requires validation of untrusted OpenAPI specifications at input points to block malicious code injection via the unescaped x-enumDescriptions field.
Enables integrity verification of generated TypeScript client files to identify unauthorized code injections from malicious OpenAPI specifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct arbitrary JS/TS code injection via unescaped x-enumDescriptions into generated client files enables execution through the JavaScript interpreter (T1059.007).
NVD Description
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785,…
more
but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue.
Deeper analysisAI
CVE-2026-23947 is an arbitrary code execution vulnerability in Orval, a tool that generates type-safe JavaScript/TypeScript clients from OpenAPI v3 or Swagger v2 specifications. It affects versions prior to 7.19.0 up to but not including 8.0.2, specifically in the @orval/core package. The issue arises when untrusted OpenAPI specifications inject arbitrary TypeScript/JavaScript code via the x-enumDescriptions field, which is embedded without proper escaping in the getEnumImplementation() function during const enum generation. This results in executable code within the generated schema files. The vulnerability is scored at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-77 (Command Injection) and CWE-94 (Code Injection). It shares similarities with CVE-2026-22785 but impacts a different code path not addressed by that fix.
An attacker can exploit this vulnerability by supplying a malicious OpenAPI specification to a victim using a vulnerable Orval version for client generation. No privileges or user interaction are required, enabling remote exploitation over the network with low complexity. Successful exploitation leads to arbitrary code execution in the environment where the generated clients are consumed, potentially allowing full compromise including high confidentiality, integrity, and availability impacts.
The Orval security advisory (GHSA-h526-wf6g-67jv) and release notes for v8.0.2 detail the fix, which properly escapes the x-enumDescriptions field in getEnumImplementation(). Mitigation requires upgrading to Orval 7.19.0 or 8.0.2, where the patch prevents code injection during enum generation.
Details
- CWE(s)