CVE-2026-49451

HIGH 7.5

Microsoft.OpenAPI: Circular schema references may terminate OpenAPI parsing

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

0th

The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.

CWE	CWE-674
Vendor	microsoft
Product	openapi.net
Ecosystems	Windows .NET Azure
Industries	TechnologyEnterprise
Published	Jun 30, 2026

Stay Ahead of the Next One

Get instant alerts for microsoft openapi.net

Be the first to know when new high vulnerabilities affecting microsoft openapi.net are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Affected Versions

microsoft / OpenAPI.NET

>= 2.0.0-preview11, < 2.7.5 >= 3.0.0, < 3.5.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/microsoft/OpenAPI.NET/security/advisories/GHSA-v5pm-xwqc-g5wc