CVE-2026-59859
Received Received - Intake

PHP Code Injection in Kiota PHP Generator via Unescaped String Literals

Vulnerability report for CVE-2026-59859, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.4, Kiota's PHP generator embedded OpenAPI description, default fields, property names, and other schema-derived strings into PHP double-quoted literals through SanitizeDoubleQuote() in Writers/StringExtensions.cs without escaping $, allowing attacker-controlled ${...}, $var, or {$obj->prop} interpolation constructs to inject arbitrary PHP code into generated model and request-builder classes. This issue is fixed in version 1.32.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft kiota 1.32.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59859 is a code injection vulnerability in the Kiota PHP code generator. It occurs because the generator embeds OpenAPI-derived strings into PHP double-quoted string literals without escaping the $ character. PHP automatically interprets $var, ${...}, or {$obj->prop} as variable interpolations, allowing attacker-controlled input to inject and execute arbitrary PHP or OS commands when the generated client runs.

Detection Guidance

To detect this vulnerability, check if your system uses Kiota versions prior to 1.32.4. Run: kiota --version. Inspect generated PHP files for unescaped $ characters in double-quoted strings. Look for files containing ${...}, $var, or {$obj->prop} patterns in model or request-builder classes.

Impact Analysis

If you use Kiota to generate PHP API clients from untrusted OpenAPI specifications, an attacker could inject malicious code into the generated classes. This could lead to arbitrary code execution when the generated client runs, potentially compromising your system. The impact is highest if generated code reaches production or runs in CI/CD pipelines with access to sensitive data.

Compliance Impact

This vulnerability could lead to unauthorized code execution, potentially resulting in data breaches or unauthorized access to sensitive information. Such incidents may violate compliance requirements under GDPR, HIPAA, or other regulations, leading to legal penalties, reputational damage, and loss of trust. Proper mitigation involves upgrading to version 1.32.4 or later and auditing generated code.

Mitigation Strategies

Upgrade Kiota to version 1.32.4 or later. Regenerate all PHP clients from OpenAPI specs. Audit OpenAPI files for malicious content before generation. Restrict OpenAPI spec sources to trusted internal ones. Implement code reviews for generated files. Isolate generated code from production environments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59859. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart