Skip to main content

Kiota CVE-2026-59866

| EUVDEUVD-2026-44936 CRITICAL
Path Traversal (CWE-22)
2026-07-16 GitHub_M
9.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.4 HIGH

Attacker-supplied spec is fetched over network (AV:N) but a developer must run the generator (UI:R); write outside -o escapes the tool's scope (S:C); impact is file-write and code injection (I:H), not disclosure (C:N).

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 15:51 vuln.today
Analysis Generated
Jul 16, 2026 - 15:51 vuln.today
CVE Published
Jul 16, 2026 - 14:46 cve.org
CRITICAL 9.3

DescriptionCVE.org

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class or namespace names and generated output path components when kiota generate ran without -c/--class-name, allowing an attacker-controlled or compromised OpenAPI description to write generated source outside the -o output directory and inject arbitrary text into generated class or namespace declarations. This issue is fixed in version 1.32.5 by GenerationConfiguration.SanitizeClientClassName and SanitizeClientNamespaceName.

AnalysisAI

Path traversal and code injection in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description write generated source files outside the intended output directory and inject arbitrary text into class/namespace declarations. When a developer runs kiota generate without the -c/--class-name flag, Kiota consumes the clientClassName and clientNamespaceName values from the OpenAPI x-ms-kiota-info extension without identifier or path sanitization, using them both as code identifiers and as filesystem path components. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts malicious OpenAPI spec
Delivery
Embed traversal payload in x-ms-kiota-info
Exploit
Developer runs kiota generate without -c
Execution
Unsanitized names used as output path
Persist
Write source outside -o and inject declarations
Impact
Malicious code compiled into project

Vulnerability AssessmentAI

Exploitation Requires a developer to run `kiota generate` WITHOUT the -c/--class-name option against an attacker-controlled or compromised OpenAPI description in which the `x-ms-kiota-info` extension supplies malicious clientClassName and/or clientNamespaceName values (path-separator or `..` sequences for directory escape, or identifier-breaking characters for code injection). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) yields 9.3 Critical and models fully unauthenticated remote impact, but this understates the practical precondition: exploitation is not a remote hit against a running service - it requires a developer to run `kiota generate` against an attacker-supplied or compromised OpenAPI description, and specifically without -c/--class-name. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker publishes or tampers with an OpenAPI description hosted at a URL a developer consumes, embedding an `x-ms-kiota-info` extension whose clientNamespaceName contains `../../` traversal and whose clientClassName carries injected declaration text. When the developer runs `kiota generate -o ./client` without -c, Kiota writes generated source outside ./client and emits the attacker's text into class/namespace declarations, which is compiled into the project. …
Remediation Vendor-released patch: upgrade Kiota to 1.32.5 or later, which sanitizes clientClassName and clientNamespaceName from settings and the `x-ms-kiota-info` extension before using them in code or file paths (see release https://github.com/microsoft/kiota/releases/tag/v1.32.5 and advisory https://github.com/microsoft/kiota/security/advisories/GHSA-4vv7-jj25-4gh6). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Although no public exploit has been identified at time of analysis, immediately inventory all Microsoft Kiota deployments across development and CI/CD infrastructure to identify versions prior to 1.32.5, and halt processing of OpenAPI specifications from external or untrusted sources within 24 hours. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59866 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy