Deserialization Flaw in MessagePack for C# by MessagePack
CVE-2026-48513

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48513?

A deserialization vulnerability exists in MessagePack for C#, where improper handling of union deserialization can lead to security risks. Specifically, prior to versions 2.5.301 and 3.1.7, the generated union deserializers failed to enforce depth checks during recursive deserialization processes. As a result, malicious users could exploit the system by sending crafted data that bypasses safety checks, allowing for potential denial of service or arbitrary code execution. Users should update to the latest versions to mitigate these risks and ensure security.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48513 Data

JSON