CVE-2026-32933 Unknown Vendor CVE debrief

Who should care

Teams running .NET applications that use the NuGet AutoMapper package, especially services that map attacker-influenced, nested, or self-referential data structures. Internet-facing APIs and backend services should prioritize this first.

Technical summary

The advisory identifies CWE-674 (Uncontrolled Recursion) in AutoMapper. A specially crafted object graph can trigger repeated recursive mapping calls until the stack is exhausted, causing an unrecoverable process crash in modern .NET runtimes. Affected versions are AutoMapper 16.0.0 through 16.1.0, and all versions earlier than 15.1.1. Fixed releases are 16.1.1 and 15.1.1.

Defensive priority

High for any exposed or multi-tenant service that accepts untrusted input; otherwise medium-high because the failure mode is a full process crash rather than a recoverable exception.

Recommended defensive actions

• Upgrade AutoMapper to 16.1.1 or later, or 15.1.1 or later, depending on the branch in use.
• Inventory all applications and services that reference the AutoMapper NuGet package.
• Review any code paths that map user-controlled or externally sourced nested object graphs.
• Add regression tests for deep and self-referential mapping inputs to verify the application fails safely.
• Monitor for crash loops or unexpected process termination in services that use AutoMapper.
• If immediate upgrading is not possible, reduce exposure by validating input shape and depth before mapping.

Evidence notes

Source evidence comes from the GitHub Advisory Database entry GHSA-rvv3-g6hj-g44x, which links to the AutoMapper security advisory, fix commit, and release tags for v16.1.1 and v15.1.1. The advisory lists CWE-674 and vulnerable version ranges for the NuGet package AutoMapper. CVE publication timing is taken from the provided CVE/source dates: published 2026-03-13 and modified 2026-05-14; NVD published the record on 2026-03-20.

Official resources