CVE-2026-59866
Microsoft · Kiota
Kiota versions prior to 1.32.5 are vulnerable to path traversal and code injection due to improper sanitization of generated client class names, namespaces, and output paths.
Executive summary
A critical vulnerability in Microsoft Kiota allows unauthenticated attackers to perform arbitrary file writes and code injection, potentially compromising the integrity of generated software projects.
Vulnerability
This flaw involves improper validation of input from OpenAPI descriptions during the generation process. It allows an attacker to bypass directory restrictions and inject arbitrary text into generated source files, and the attack requires no authentication to trigger via a malicious OpenAPI payload.
Business impact
The severity of this issue is reflected by its CVSS score of 9.3, indicating a critical risk to the development pipeline. Successful exploitation could allow an attacker to inject malicious code into applications, leading to supply chain compromises, unauthorized system access, or significant disruption to software delivery lifecycles.
Remediation
Immediate Action: Upgrade Microsoft Kiota to version 1.32.5 or later immediately.
Proactive Monitoring: Audit generated source code for unexpected files outside of designated output directories or unauthorized modifications to class and namespace declarations.
Compensating Controls: Implement strict input validation on all OpenAPI specifications processed by build pipelines to ensure they originate from trusted sources.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Given the critical nature of this code injection vulnerability, organizations using Kiota for automated code generation must prioritize updating to version 1.32.5 or higher. Failure to patch creates a direct vector for supply chain attacks that could compromise downstream software deployments.