CVE-2026-59865

Microsoft · Kiota

Kiota incorrectly processes dependency installation commands from OpenAPI descriptions, leading to potential command injection when these commands are executed by users.

Executive summary

A command injection vulnerability in Microsoft Kiota allows attackers to execute arbitrary system commands by supplying malicious installation instructions in OpenAPI descriptions.

Vulnerability

The Kiota tool reads dependency installation commands from OpenAPI descriptions and presents them as recommended actions. If an attacker controls the OpenAPI description, they can inject arbitrary commands that are subsequently executed by the user or the Kiota VS Code extension.

Business impact

This vulnerability enables command injection on the host system of any developer or administrator who follows the suggested installation command. Given the CVSS score of 9.3, this is a critical risk that could result in full system compromise, data theft, or the installation of persistent backdoors.

Remediation

Immediate Action: Upgrade Microsoft Kiota to version 1.32.5 to ensure that installation commands are sanitized and validated.

Proactive Monitoring: Inspect all dependency installation commands suggested by Kiota before manual execution, especially when working with external or unverified OpenAPI files.

Compensating Controls: Use strict execution policies and run development tools with the minimum necessary privileges to mitigate the impact of potential command injection.

Exploitation status

Public Exploit Available: No

Analyst recommendation

Upgrade to the patched version of Kiota immediately. Always verify the integrity and source of OpenAPI descriptions before processing them with automated code generation tools to prevent the execution of untrusted commands.