Skip to main content

Microsoft Kiota CVE-2026-59867

| EUVDEUVD-2026-44937 HIGH
Path Traversal (CWE-22)
2026-07-16 GitHub_M
7.1
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
vuln.today AI
7.1 HIGH

SSRF fetch gives AV:N with no auth to the tool (PR:N), but a developer must run generation on a malicious spec (UI:R); LFI yields C:H while schema inlining gives only I:L and no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Jul 16, 2026 - 17:03 EUVD
Source Code Evidence Fetched
Jul 16, 2026 - 15:51 vuln.today
Analysis Generated
Jul 16, 2026 - 15:51 vuln.today
CVE Published
Jul 16, 2026 - 14:48 cve.org
HIGH 7.1

DescriptionCVE.org

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing kiota generate on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.

AnalysisAI

Build-time SSRF, remote file inclusion, and local file inclusion in Microsoft Kiota before 1.32.5 lets an attacker-controlled OpenAPI description force the kiota generate command to fetch arbitrary remote http(s) URLs and read local absolute or out-of-tree file paths while resolving $ref values. Because Kiota inlined those external schemas into generated clients, an attacker could exfiltrate internal endpoints or leak local file contents (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft OpenAPI spec with malicious $ref
Delivery
Deliver spec to victim developer/CI
Exploit
Victim runs kiota generate
Execution
Kiota resolves ref via SSRF/LFI
Persist
External schema fetched and inlined
Impact
Internal data leaked into generated client

Vulnerability AssessmentAI

Exploitation Exploitation requires a victim to run a Kiota generation command (e.g. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N, base 7.1) captures the real profile: network-reachable side effects (SSRF/RFI) and high confidentiality impact from local file inclusion, but gated by user interaction - a developer must actually run `kiota generate` against a malicious or attacker-influenced description. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer generates a client from an OpenAPI description supplied by a third party (or whose $ref values an attacker can influence), running `kiota generate` in a CI pipeline with internal network access. During reference resolution, Kiota fetches an attacker-specified internal URL (SSRF) or reads a local file such as a credentials or config file, then inlines that content into the generated client, exposing or exfiltrating it. …
Remediation Vendor-released patch: upgrade Microsoft Kiota to 1.32.5 or later, where external references are blocked by default via AllowedExternalOriginsStreamLoader. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all Kiota installations across development teams and CI/CD pipelines (focus on versions before 1.32.5) and restrict OpenAPI specification sources to cryptographically-verified, internally-controlled repositories only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59867 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy