Circular Schema Reference Vulnerability in OpenAPI.NET SDK by Microsoft
CVE-2026-49451

7.5HIGH

Key Information:

Vendor: Microsoft
Status: Openapi.net
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-49451?

The OpenAPI.NET SDK, utilized for processing OpenAPI documents in .NET, is impacted by a vulnerability that arises when a circular schema reference exists within an OpenAPI document. This specific scenario can lead to process termination due to a stack overflow error during document parsing, affecting both JSON and YAML formats through the public reader APIs. Versions from 2.0.0-preview11 up to 2.7.5 and 3.5.4 are affected. Users are encouraged to upgrade to version 2.7.5 or later to mitigate this issue.

Affected Version(s)

OpenAPI.NET >= 2.0.0-preview11, < 2.7.5 < 2.0.0-preview11, 2.7.5

OpenAPI.NET >= 3.0.0, < 3.5.4 < 3.0.0, 3.5.4

References

https://github.com/microsoft/OpenAPI.NET/security/advisor...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
May 30, 2026

CVE-2026-49451 Data

JSON