CVE-2026-41134
Code Injection Vulnerability in Kiota HTTP Client Generator
Publication date: 2026-04-22
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kiota | kiota | to 1.31.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is related to code generation in Kiota clients from OpenAPI descriptions. Detection involves identifying if generated clients were created using Kiota versions prior to 1.31.1 with potentially untrusted or tampered OpenAPI descriptions.
Since the issue is in the generated source code, detection on a network or system would focus on verifying the Kiota version used for generation and inspecting the generated client code for unescaped literals or suspicious injected code.
There are no specific network or system commands provided to detect this vulnerability automatically.
Recommended steps include:
- Check the Kiota version used to generate client code. If it is earlier than 1.31.1, the generated code may be vulnerable.
- Review the generated source code for suspicious string literal injections or unexpected code segments.
- Regenerate clients using Kiota version 1.31.1 or later from trusted OpenAPI descriptions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability involves code-generation literal injection in Kiota clients generated from untrusted or compromised OpenAPI descriptions, potentially allowing attackers to inject malicious code. Such a security flaw could lead to unauthorized access or manipulation of data handled by the generated clients.
While the CVE description does not explicitly mention compliance with standards like GDPR or HIPAA, the presence of exploitable injection vulnerabilities in client code could increase the risk of data breaches or unauthorized data processing, which are critical concerns under these regulations.
Therefore, organizations using affected versions of Kiota without proper mitigation (such as upgrading to version 1.31.1 or later and regenerating clients) might face challenges in maintaining compliance with data protection and security requirements mandated by common standards and regulations.
Can you explain this vulnerability to me?
This vulnerability affects Kiota, an OpenAPI based HTTP Client code generator, in versions prior to 1.31.1. It is a code-generation literal injection vulnerability that occurs in multiple writer sinks such as serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/property metadata, and default value emission.
When malicious values from an OpenAPI description are emitted into the generated source code without proper context-appropriate escaping, an attacker can break out of string literals and inject additional code into the generated clients.
This vulnerability is practically exploitable only when the OpenAPI description used for generation is from an untrusted source or if a normally trusted OpenAPI description has been compromised or tampered with.
The recommended remediation is to upgrade Kiota to version 1.31.1 or later and regenerate or refresh existing generated clients to replace previously generated vulnerable code with hardened output.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker to inject arbitrary code into the generated client code by manipulating the OpenAPI description used for code generation.
This can lead to the execution of unintended or malicious code within the client application, potentially compromising the security and integrity of the application.
The risk is higher if the OpenAPI description is from an untrusted or compromised source, as this enables the attacker to control the input that leads to code injection.
Using trusted and integrity-protected API descriptions significantly reduces the risk of exploitation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Kiota to version 1.31.1 or later.
After upgrading, regenerate or refresh any existing generated clients to replace previously generated vulnerable code with hardened output.
Additionally, ensure that OpenAPI descriptions used for generation are from trusted and integrity-protected sources to significantly reduce the risk of exploitation.