SCA: security update for Microsoft.OpenAPI (GHSA-v5pm-xwqc-g5wc)

high Tenable Cloud Security Plugin ID 444181

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The OpenAPI.NET SDK contains a useful object model for OpenAPI documents in .NET along with common
serializers to extract raw OpenAPI JSON and YAML documents from the model. From 2.0.0-preview11 until
2.7.5 and 3.5.4, a small OpenAPI document containing a circular schema reference can cause process
termination through stack overflow in Microsoft.OpenApi. The issue affects OpenAPI document parsing
through public OpenAPI.NET reader APIs and has been confirmed across both JSON and YAML reader paths. This
vulnerability is fixed in 2.7.5 and 3.5.4. (CVE-2026-49451)

Solution

Update the Microsoft.OpenAPI library and its related packages to version 2.7.5 or later.

See Also

https://github.com/advisories/GHSA-v5pm-xwqc-g5wc

Plugin Details

Severity: High

ID: 444181

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 6/30/2026

Updated: 6/30/2026

Risk Information

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-49451

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 6/30/2026

Reference Information

CVE: CVE-2026-49451

cwe: CWE-674