CVE-2026-49451: Microsoft.OpenAPI Uncontrolled Recursion via Circular Schema References
A tiny OpenAPI document with two schemas that point at each other can exhaust the call stack and terminate any .NET process that parses it using Microsoft.OpenAPI.
The problem
Microsoft.OpenAPI's reference-resolution logic follows `$ref` pointers recursively without tracking which schemas it has already visited. When two schemas form a cycle, for example schema A referencing B and B referencing A, the resolver re-enters itself indefinitely until the thread's stack is exhausted.
The crash is a hard process termination via stack overflow, not a catchable exception. Any application, CLI, or service that parses OpenAPI documents from untrusted input in-process is exposed. Both the JSON and YAML reader paths are affected.
Proof of concept
A working proof-of-concept for CVE-2026-49451 in Microsoft.OpenAPI, with the exact payload below.
{
"openapi": "3.0.0",
"info": { "title": "PoC", "version": "0.0.1" },
"paths": {},
"components": {
"schemas": {
"A": { "$ref": "#/components/schemas/B" },
"B": { "$ref": "#/components/schemas/A" }
}
}
}The library lacked a visited-set (or depth guard) in its schema reference walk. Each call to resolve a `$ref` triggered a fresh recursive descent with no memory of previously seen schema IDs, so a two-node cycle (A -> B -> A) produced unbounded recursion and a fatal stack overflow (CWE-674).
Commit `6bcac39` (v2.7.5) and its v3.x counterpart introduce cycle detection by tracking schema identifiers already visited during a single resolution pass. When the resolver encounters a schema ID it has seen before, it stops recursing and returns, breaking the cycle before the stack can be exhausted.
The fix
Upgrade to Microsoft.OpenApi 2.7.5 (2.x line) or 3.5.4 (3.x line). The 1.x line is not affected because it could not resolve references that pointed to another reference. As a defence-in-depth measure, parse untrusted OpenAPI documents in an isolated child process so a stack overflow cannot bring down the primary application.
Related research
- highCVE-2026-48502CVE-2026-48502: MessagePack-CSharp ReadDateTime Stack Overflow via Oversized Extension Length
- high · 7.5CVE-2026-48506CVE-2026-48506: MessagePack-CSharp Uncontrolled Recursion in TrySkip Causes Process Crash
- high · 7.5CVE-2026-53461CVE-2026-53461: ImageMagick ICON Decoder Heap Out-of-Bounds Write
- high · 7.5CVE-2026-49218CVE-2026-49218: Magick.NET DCM Decoder Invalid Dimension Denial of Service