API Specification Code Generation Vulnerability in Hey API
CVE-2026-48819

4.8MEDIUM

Key Information:

Vendor

Hey-api

Vendor
CVE Published:
17 July 2026

What is CVE-2026-48819?

A code generation vulnerability in Hey API allows attackers to exploit runtime templates in generated SDKs prior to version 0.97.3. This flaw enables the injection of attacker-controlled parameters, which can corrupt the intended data structure. By introducing slot-prefixed keys like $query__proto__, attackers can manipulate the API's functionality through prototype pollution, potentially leading to security breaches during the handling of API requests. The issue has been addressed in version 0.97.3.

Affected Version(s)

openapi-ts < 0.97.3

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.