CVE-2026-59865
Microsoft · Kiota
Kiota incorrectly processes dependency installation commands from OpenAPI descriptions, leading to potential command injection when these commands are executed by users.
Executive summary
A command injection vulnerability in Microsoft Kiota allows attackers to execute arbitrary system commands by supplying malicious installation instructions in OpenAPI descriptions.
Vulnerability
The Kiota tool reads dependency installation commands from OpenAPI descriptions and presents them as recommended actions. If an attacker controls the OpenAPI description, they can inject arbitrary commands that are subsequently executed by the user or the Kiota VS Code extension.
Business impact
This vulnerability enables command injection on the host system of any developer or administrator who follows the suggested installation command. Given the CVSS score of 9.3, this is a critical risk that could result in full system compromise, data theft, or the installation of persistent backdoors.
Remediation
Immediate Action: Upgrade Microsoft Kiota to version 1.32.5 to ensure that installation commands are sanitized and validated.
Proactive Monitoring: Inspect all dependency installation commands suggested by Kiota before manual execution, especially when working with external or unverified OpenAPI files.
Compensating Controls: Use strict execution policies and run development tools with the minimum necessary privileges to mitigate the impact of potential command injection.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Upgrade to the patched version of Kiota immediately. Always verify the integrity and source of OpenAPI descriptions before processing them with automated code generation tools to prevent the execution of untrusted commands.