CVE-2026-59860
Microsoft · Kiota
Microsoft Kiota is susceptible to a code injection vulnerability caused by improper control of generated code, which could result in arbitrary code execution.
Executive summary
A high-severity code injection vulnerability in Microsoft Kiota versions prior to 1.32.3 creates a risk of arbitrary code execution.
Vulnerability
This is a CWE-94 vulnerability resulting from improper control of generated code. An unauthenticated attacker can exploit this flaw to inject malicious code during the OpenAPI client generation process, leading to execution in the context of the client application.
Business impact
With a CVSS score of 8.7, this vulnerability represents a significant threat to organizational security. Successful exploitation allows for complete technical impact, potentially leading to unauthorized data access, system manipulation, or service disruption within the client environment.
Remediation
Immediate Action: Update Microsoft Kiota to version 1.32.3 or later.
Proactive Monitoring: Review logs for suspicious activity during the client generation phase and monitor for unexpected file system or process modifications.
Compensating Controls: Use hardened build environments and implement strict input validation for all OpenAPI definitions processed by Kiota.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the potential for total system compromise, immediate patching is required. All developers and security administrators should verify their current Kiota version and apply the 1.32.3 update as part of their standard security maintenance cycle.