CVE-2026-59864
Microsoft · Kiota
The Kiota code generator fails to validate paths in plugin manifest templates, enabling path traversal or arbitrary file inclusion when generated plugins are deployed.
Executive summary
A path traversal vulnerability in Microsoft Kiota allows attackers to execute out-of-package file inclusion, potentially leading to unauthorized data access or code execution.
Vulnerability
The vulnerability exists in the plugin generation logic, where attacker-controlled paths from OpenAPI descriptions are processed without validation. This allows the inclusion of malicious file paths, such as relative or absolute references, into the generated manifest files.
Business impact
The ability to perform path traversal or out-of-package file inclusion can allow an attacker to read sensitive files from the host system or manipulate the deployment package to include malicious components. With a CVSS score of 9.3, this flaw poses a severe threat to the security of systems utilizing generated plugins.
Remediation
Immediate Action: Upgrade Microsoft Kiota to version 1.32.5 or higher to enforce proper path validation.
Proactive Monitoring: Review generated plugin manifests for unexpected file path references or unconventional directory traversal sequences.
Compensating Controls: Ensure that generated code is deployed in a sandboxed or restricted environment to limit the impact of potential file access violations.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Users of the Kiota code generator should upgrade immediately to prevent the creation of compromised plugin packages. Organizations should also treat OpenAPI descriptions from untrusted sources as untrusted input.