CVE-2026-59859
Microsoft · Kiota
Kiota contains a code injection vulnerability that allows an attacker to execute arbitrary code via improper control of generated code.
Executive summary
A critical code injection vulnerability in Microsoft Kiota versions prior to 1.32.4 poses a significant risk of arbitrary code execution.
Vulnerability
This vulnerability is a CWE-94 code injection flaw. It occurs due to the improper control of code generation during the OpenAPI client creation process, allowing an unauthenticated attacker to inject malicious instructions that are subsequently executed by the client.
Business impact
Successful exploitation of this vulnerability could lead to total compromise of the affected client environment. Given the CVSS score of 8.7, the impact on confidentiality, integrity, and availability is severe, potentially allowing attackers to gain full control over the host system or pivot deeper into the network.
Remediation
Immediate Action: Update Microsoft Kiota to version 1.32.4 or later immediately.
Proactive Monitoring: Monitor build pipelines and client execution environments for anomalous code generation patterns or unexpected outbound network connections initiated by the client.
Compensating Controls: Ensure that code generation processes are isolated within restricted environments with minimal privileges to limit the impact of potential execution.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The high CVSS score reflects the serious nature of this code injection risk. Organizations utilizing Kiota for OpenAPI client generation must prioritize updating to version 1.32.4 to eliminate this attack vector.