CVE-2026-59864

Microsoft · Kiota

The Kiota code generator fails to validate paths in plugin manifest templates, enabling path traversal or arbitrary file inclusion when generated plugins are deployed.

Executive summary

A path traversal vulnerability in Microsoft Kiota allows attackers to execute out-of-package file inclusion, potentially leading to unauthorized data access or code execution.

Vulnerability

The vulnerability exists in the plugin generation logic, where attacker-controlled paths from OpenAPI descriptions are processed without validation. This allows the inclusion of malicious file paths, such as relative or absolute references, into the generated manifest files.

Business impact

The ability to perform path traversal or out-of-package file inclusion can allow an attacker to read sensitive files from the host system or manipulate the deployment package to include malicious components. With a CVSS score of 9.3, this flaw poses a severe threat to the security of systems utilizing generated plugins.

Remediation

Immediate Action: Upgrade Microsoft Kiota to version 1.32.5 or higher to enforce proper path validation.

Proactive Monitoring: Review generated plugin manifests for unexpected file path references or unconventional directory traversal sequences.

Compensating Controls: Ensure that generated code is deployed in a sandboxed or restricted environment to limit the impact of potential file access violations.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Users of the Kiota code generator should upgrade immediately to prevent the creation of compromised plugin packages. Organizations should also treat OpenAPI descriptions from untrusted sources as untrusted input.