Skip to main content

Microsoft Kiota CVE-2026-59865

| EUVDEUVD-2026-44933 CRITICAL
Code Injection (CWE-94)
2026-07-16 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.8 HIGH

Spec is fetched over the network (AV:N) but the victim must run kiota info and then execute the suggested command (UI:R); successful injection yields full RCE in the user's context so C/I/A:H, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 15:51 vuln.today
Analysis Generated
Jul 16, 2026 - 15:51 vuln.today
CVE Published
Jul 16, 2026 - 14:43 cve.org
CRITICAL 9.3

DescriptionCVE.org

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, kiota info read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command, allowing an attacker-controlled or compromised description to cause command injection when the suggested command was run manually or through the Kiota VS Code extension's kiota info --json dependency-install flow. This issue is fixed in version 1.32.5.

AnalysisAI

Command injection in Microsoft Kiota before 1.32.5 lets a malicious or compromised OpenAPI description dictate the install command that Kiota presents to developers. When a developer runs kiota info (or the VS Code extension's kiota info --json dependency-install flow) against an attacker-controlled spec, Kiota reads the x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand field plus attacker-chosen dependency name/version values and surfaces them as its trusted recommended install command, achieving arbitrary command execution when that command is run. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Host malicious OpenAPI spec
Delivery
Victim runs kiota info against it
Exploit
Kiota reads x-ms-kiota-info dependencyInstallCommand
Execution
Presents injected command as recommended
Persist
Developer executes suggested command
Impact
Arbitrary code runs in developer context

Vulnerability AssessmentAI

Exploitation Exploitation requires the victim to run `kiota info` (or the VS Code extension's `kiota info --json` dependency-install flow) against an attacker-controlled or compromised OpenAPI description containing a crafted `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` value or malicious dependency name/version, on a vulnerable Kiota version prior to 1.32.5. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 9.3 with vector AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H, implying trivial remote unauthenticated full-impact exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or compromises an OpenAPI description and embeds a malicious `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` (or crafted dependency name/version) containing shell metacharacters. A developer points `kiota info` or the VS Code extension at that spec, sees Kiota's authoritative-looking recommended install command, and runs it - executing the attacker's payload in their shell. …
Remediation Vendor-released patch: upgrade to Kiota 1.32.5, which removes support for the `x-ms-kiota-info` `dependencyInstallCommand` extension so spec-supplied install commands are no longer read or emitted (fix in PR https://github.com/microsoft/kiota/pull/7883, commit e1d6d76c6eecbe50785429166faaf8c831e036c6; advisory https://github.com/microsoft/kiota/security/advisories/GHSA-hq9q-27g5-qwpj). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Microsoft Kiota and immediately advise development teams to discontinue use of the kiota info command and the VS Code extension's dependency-install workflow until a vendor patch becomes available. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59865 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy