CVE-2026-22785

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2026-22785

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22785.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2026-22785

Aliases

GHSA-mwr6-3gp8-9jmj

Published

2026-01-12T18:43:16.637Z

Modified

2026-01-12T19:56:21.890516Z

Severity

9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

orval MCP client is vulnerable to a code injection attack.

Details

orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22785.json",
    "cwe_ids": [
        "CWE-77"
    ]
}

References

Affected packages

Git / github.com/orval-labs/orval

Affected ranges

Type

GIT

Repo

https://github.com/orval-labs/orval

Events

Introduced

Fixed

0eaab4d5a59bbe688f87b785bc1e47fa5cc1f719

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "7.18.0"
        }
    ]
}

Affected versions

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.1.0

v2.1.1

v2.1.2

v2.2.0

v2.2.1

v2.2.2

v2.3.0

v2.3.1

v2.4.0

v2.4.1

v2.5.0

v2.5.1

v2.5.2

v2.5.3

v2.5.4

v2.5.5

v2.5.6

v2.5.7

v2.5.8

v2.5.9

v2.6.0

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.1.0

v4.2.0

v4.2.1

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.2.0

v5.3.0

v5.3.1

v5.3.2

v5.4.0

v5.4.1

v5.4.10

v5.4.11

v5.4.12

v5.4.13

v5.4.14

v5.4.2

v5.4.3

v5.4.4

v5.4.5

v5.4.6

v5.4.7

v5.4.8

v5.4.9

v5.5.0

v5.5.1

v5.5.10

v5.5.2

v5.5.3

v5.5.4

v5.5.5

v5.5.6

v5.5.7

v5.5.8

v5.5.9

v6.*

v6.0.0

v6.0.1

v6.0.2

v6.0.3

v6.0.4

v6.1.0

v6.1.1

v6.1.2

v6.10.2

v6.10.3

v6.11.0

v6.11.1

v6.12.0

v6.12.1

v6.13.0

v6.13.1

v6.14.0

v6.14.1

v6.14.2

v6.14.3

v6.14.4

v6.15.0

v6.16.0

v6.17.0

v6.18.0

v6.18.1

v6.19.0

v6.19.1

v6.2.0

v6.2.1

v6.2.2

v6.2.3

v6.2.4

v6.20.0

v6.21.0

v6.22.0

v6.22.1

v6.23.0

v6.24.0

v6.25.0

v6.26.0

v6.27.0

v6.27.1

v6.28.0

v6.28.1

v6.28.2

v6.29.0

v6.29.1

v6.3.0

v6.30.0

v6.30.1

v6.30.2

v6.31.0

v6.4.0

v6.4.1

v6.4.2

v6.4.3

v6.5.0

v6.5.1

v6.5.2

v6.5.3

v6.6.0

v6.6.1

v6.6.2

v6.6.3

v6.6.4

v6.7.0

v6.7.1

v6.8.0

v6.8.1

v6.9.0

v6.9.1

v6.9.2

v6.9.3

v6.9.4

v6.9.5

v6.9.6

v7.*

v7.0.0

v7.0.1

v7.1.0

v7.1.1

v7.10.0

v7.11.0

v7.11.1

v7.11.2

v7.12.0

v7.12.1

v7.12.2

v7.13.0

v7.13.1

v7.13.2

v7.14.0

v7.15.0

v7.16.0

v7.16.1

v7.17.0

v7.17.2

v7.2.0

v7.3.0

v7.4.0

v7.4.1

v7.5.0

v7.6.0

v7.7.0

v7.8.0

v7.9.0

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22785.json"