CVE-2026-49451
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
A vulnerability in the Microsoft.OpenApi library (OpenAPI.NET SDK) can cause process termination due to stack overflow when parsing an OpenAPI document with a circular schema reference. The issue affects versions from 2.0.0-preview11 to 2.7.5 and 3.5.4, confirmed for both JSON and YAML readers.
Risk Assessment
An attacker can send a crafted OpenAPI document, causing application crash (DoS) via stack overflow, leading to service disruption.
Recommendation
Immediately update the Microsoft.OpenApi library to version 2.7.5 or 3.5.4, depending on the branch in use.
Original NVD description (English source)
The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until 2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This vulnerability is fixed in 2.7.5 and 3.5.4.

