CVE-2026-33331 Overview
CVE-2026-33331 is a stored cross-site scripting (XSS) vulnerability affecting oRPC, a tool designed to help developers build end-to-end type-safe APIs that adhere to OpenAPI standards. The vulnerability exists in the OpenAPI documentation generation functionality of oRPC. Prior to version 1.13.9, if an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of users viewing oRPC-generated API documentation, potentially leading to session hijacking, credential theft, or malicious actions performed on behalf of authenticated users.
Affected Products
- oRPC versions prior to 1.13.9
- Applications using oRPC for OpenAPI documentation generation
- Development and staging environments exposing auto-generated API documentation
Discovery Timeline
- 2026-03-24 - CVE CVE-2026-33331 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33331
Vulnerability Analysis
This stored XSS vulnerability arises from insufficient input sanitization in oRPC's OpenAPI documentation generation process. When oRPC renders OpenAPI specification fields into HTML documentation, it fails to properly escape or sanitize user-controlled content. This allows an attacker who can influence OpenAPI specification fields—such as info.description, info.title, or other metadata fields—to inject malicious JavaScript that executes when victims browse the generated documentation.
The attack is classified as "stored" XSS because the malicious payload persists within the OpenAPI specification and is served to all users who view the documentation. This makes it particularly dangerous in shared development environments or public-facing API documentation portals.
Root Cause
The root cause of CVE-2026-33331 is improper neutralization of input during web page generation (CWE-79). The oRPC documentation generator directly embeds OpenAPI specification field values into the rendered HTML output without adequate encoding or sanitization. When these values are embedded within a JSON context in the generated page, an attacker can craft input that breaks out of the JSON structure and injects executable script tags or event handlers.
Attack Vector
The attack requires network access and user interaction. An attacker must first be able to modify or influence the OpenAPI specification fields—this could occur through compromised API definition files, malicious contributions to shared specifications, or exploitation of other input vectors that feed into the OpenAPI spec generation.
Once the malicious payload is embedded in a field like info.description, any user who views the generated API documentation will have the attacker's JavaScript executed in their browser context. This can lead to:
- Session token theft via cookie exfiltration
- Credential harvesting through fake login forms
- Redirection to malicious sites
- Actions performed on behalf of authenticated users
The vulnerability requires user interaction (viewing the documentation), and the scope is changed, meaning the impact extends beyond the vulnerable component to affect other origins or security contexts.
Detection Methods for CVE-2026-33331
Indicators of Compromise
- Unusual or obfuscated content in OpenAPI specification fields such as info.description, info.title, or info.termsOfService
- Script tags, event handlers, or JavaScript URI schemes appearing in API documentation source
- Reports of unexpected browser behavior or popups when viewing API documentation
- Suspicious modifications to OpenAPI specification files in version control
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution
- Monitor API specification files for changes containing script tags or JavaScript event handlers
- Use web application firewalls (WAF) with XSS detection rules on documentation endpoints
- Perform regular security scans of generated API documentation pages
Monitoring Recommendations
- Enable logging for all modifications to OpenAPI specification files
- Monitor browser console errors for CSP violations on documentation pages
- Set up alerts for unusual patterns in documentation access logs
- Review audit logs for unauthorized changes to API metadata fields
How to Mitigate CVE-2026-33331
Immediate Actions Required
- Upgrade oRPC to version 1.13.9 or later immediately
- Review existing OpenAPI specifications for potentially malicious content in description fields
- Implement Content Security Policy headers on documentation endpoints as defense-in-depth
- Restrict write access to OpenAPI specification files to trusted personnel only
Patch Information
The oRPC development team has addressed this vulnerability in version 1.13.9. The fix implements proper output encoding and sanitization for OpenAPI specification fields when generating HTML documentation. Organizations should upgrade to this version or later to remediate the vulnerability.
For detailed information about the patch, refer to the GitHub Security Advisory GHSA-7f6v-3gx7 and the GitHub Commit Update. The patched version is available at the GitHub Release v1.13.9.
Workarounds
- Implement strict Content Security Policy headers that disable inline JavaScript execution
- Manually sanitize all OpenAPI specification fields before documentation generation
- Restrict access to API documentation to authenticated and trusted users only
- Use a web application firewall with XSS filtering rules in front of documentation endpoints
# Example CSP header configuration for nginx
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none';" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
