al-ice.ai

GitHub Advisory — Orval MCP generation code injection risk (CVE-2026-22785)

• Category: AI CVEs

  • What happened: a GitHub Security Advisory reports CVE-2026-22785 in Orval, where MCP server/client generation can incorporate OpenAPI fields in a way that enables code injection if the spec is attacker-controlled.
  • Why MCP is relevant: MCP ecosystems turn “generated code” into automation surface area. If spec-driven codegen is unsafe, the resulting agent/tooling can become an execution primitive.
  • Threat model: you don’t need an attacker on your machine — you just need a pipeline that consumes untrusted OpenAPI specs (third-party URLs, vendor portals, PRs, tickets, “paste the spec here”).
  • Impact described: arbitrary code can be injected during generation/processing, which can run on developer workstations or CI runners depending on where you generate artifacts.
  • Status: advisory says this is fixed in Orval 7.18.0+.
  • Meta-lesson: “tooling that reads specs” should be treated like a parser for hostile input — apply classic AppSec (escaping, strict schemas, provenance), not just model safety.

Why it matters

  • Spec supply chain is real: OpenAPI specs move across org boundaries and are often copied from the web. That’s a bigger trust boundary than most teams realize.
  • AI tooling amplifies blast radius: MCP integrations tend to be installed quickly (“USB-C for tools”), which increases the odds that codegen is run without hardening.
  • CI compromise risk: if your pipeline generates MCP tooling in CI, the CI runner becomes the target — and CI often has credentials, signing keys, and deploy permissions.

What to do

  1. Update Orval: verify you’re on Orval >= 7.18.0.
  2. Provenance gate OpenAPI specs: only accept specs from allowlisted repos/domains; avoid “fetch spec from arbitrary URL” in automation.
  3. Run codegen in a sandbox: treat code generation like building an untrusted project (container, no secrets, no network unless required).
  4. Add a quick audit check: flag unexpected large diffs in generated MCP code and require review before publishing/using generated tools.

Sources