CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-53508

mediumcovered by 1 sourcefirst seen 2026-07-07
Summary From v1.13.2 through v1.18.0, oasdiff did not enforce --allow-external-refs=false (library: openapi3.Loader.IsExternalRefsAllowed = false) when loading a spec from a git revision (the rev:path form, e.g. main:openapi.yaml). External $refs were resolved on that load path even when external refs were explicitly disabled, so the mitigation silently did not apply there. Impact A caller who set --allow-external-refs=false *specifically to safely process untrusted specs* remained exposed — on the git-revision load path only — to: - SSRF via $ref: "http://<internal-host>/…", and - Local file reads via $ref: "/path" or file://. Affected callers: - CLI: oasdiff diff main:openapi.yaml HEAD:openapi.yaml --allow-external-refs=false (and breaking / changelog / summary, and the git-diff-driver) run over untrusted spec content. - Go library consumers of github.com/oasdiff/oasdiff/load that set IsExternalRefsAllowed = false and load from a git-revision source via load.NewSpecInfo. The file and URL load paths correctly enforced the setting; only the git-revision path was affected. Callers that left external refs at the default (true) are not in scope for *this* advisory. Patches v1.18.1 enforces the external-refs policy on the git-revision path (so --allow-external-refs=false now blocks external $refs there) and returns a dedicated exit code (123) when an external $ref is refused. Workarounds - Upgrade to v1.18.1, or - Avoid the git-revision input form when processing untrusted specs with external refs disabled. Notes - Introduced in v1.13.2 (#832, which added $ref-chain resolution on the git-revision path); fixed in v1.18.1 (#974, #975). - The permissive default (allow-external-refs: true) and its zero-interaction exposure in CI via the GitHub Action is tracked separately in GHSA-fhj3-7267-7vv5 (oasdiff-action).

⚡ Watch CVE-2026-53508

Get an email if CVE-2026-53508 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-53508

CVE.org record

Embed the live status

CVE-2026-53508 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-53508 status](https://www.csirts.com/badge/CVE-2026-53508)](https://www.csirts.com/cve/CVE-2026-53508)