What is CVE-2026-22785?

CVE-2026-22785 is a critical vulnerability in orval affecting versions prior to 7.18.0. It allows for arbitrary code injection due to improper validation of OpenAPI specifications. Organizations should prioritize patching immediately.

What is the severity of CVE-2026-22785?

CVE-2026-22785 has a severity rating of CRITICAL with a CVSS base score of 9.3.

CVE-2026-22785 | Critical Vulnerability in orval

CVE-2026-22785 is classified as a critical vulnerability in orval, which generates type-safe JavaScript clients (TypeScript) from valid OpenAPI v3 or Swagger v2 specifications. The vulnerability stems from the MCP server generation logic, which relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. As a result, this allows an attacker to "break out" of the string literal and inject arbitrary code. The issue is resolved in orval version 7.18.0.

This vulnerability has a CVSS score of 9.3, indicating its critical severity. The high score reflects the potential impact on confidentiality, integrity, and availability, making it a significant risk for organizations utilizing affected versions.

Organizations should prioritize patching immediately. The vulnerability is publicly acknowledged, and the urgency for remediation is high given the exploitability of the flaw.

Currently, there is a known exploit available, which further highlights the importance of updating to version 7.18.0 or later to mitigate the risk associated with this vulnerability.

Vulnerability Details

The official description of CVE-2026-22785 details how orval's server generation logic allows for code injection attacks due to inadequate string handling. The vulnerability is classified under CWE-77, which pertains to improper neutralization of special elements used in a command. The vulnerability was published on January 12, 2026, and is addressed in version 7.18.0.

Technical Analysis

The root cause of this vulnerability is the reliance on string manipulation without proper validation. This flaw permits attackers to inject arbitrary code, which can compromise the MCP server's functionality. The attack vector is network-based, with low complexity, meaning that no special privileges or user interaction is required for exploitation.

Given the nature of the vulnerability, the confidentiality, integrity, and availability impacts are all rated as high. Attackers could potentially exploit this vulnerability to gain unauthorized access, disrupt service, or manipulate data.

Risk & Impact Analysis

The risk to organizations includes the possibility of arbitrary code execution, which can lead to unauthorized access and data breaches. The potential blast radius is significant, as many services may rely on orval for client generation, exposing them to similar vulnerabilities. Given the critical nature of this vulnerability and the existence of known exploits, organizations should address this issue in their priority patch cycle.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

The affected versions of orval include all versions prior to 7.18.0. Organizations using these versions should upgrade to the latest release to mitigate this vulnerability.

Mitigation & Remediation

To remediate this vulnerability, organizations should upgrade to orval version 7.18.0 or later. If immediate patching is not feasible, consider implementing input validation and sanitization measures to mitigate potential exploitation. Additional security practices, such as network segmentation and monitoring, can further reduce risk.

Detection Guidance

Security teams should monitor logs for unusual activity that may indicate attempts to exploit this vulnerability. Behavioral anomalies in the MCP server should also be scrutinized, as they may suggest an ongoing or attempted attack.

AppSecure Threat Intelligence Insight

CVE-2026-22785 highlights the ongoing challenges in software development related to input validation and security. This vulnerability serves as a reminder for security teams to implement robust validation checks in their applications. Continuous security testing is essential to identify vulnerabilities early in the development lifecycle.

Organizations should consider adopting a comprehensive security framework that includes regular penetration testing and security assessments. For further guidance on effective security practices, refer to our penetration testing methodology for a proactive approach to vulnerability management.

Additionally, organizations can benefit from understanding the trends in vulnerability exposure and severity, which can be explored further in our blog about vulnerability management programs that facilitate better security posture.

Finally, organizations should stay informed about emerging threats and vulnerabilities by engaging in ongoing security discussions and training, as emphasized in our article on security testing best practices for comprehensive awareness and preparedness.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2026-22785: Critical Vulnerability in orval