CVE-2026-59860
Received Received - Intake

Code Generation Injection in Kiota via XML Documentation Comments

Vulnerability report for CVE-2026-59860, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C# XML documentation-comment sink (the description, externalDocs label, and externalDocs link fields emitted as /// … comments). When text from an OpenAPI description is written into single-line XML doc comments without stripping newline and Unicode line-terminator characters, an attacker can break out of the /// comment line and inject additional code into generated C# clients. This issue is fixed in version 1.32.3.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft kiota to 1.32.3 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59860 is a code-generation injection vulnerability in Microsoft Kiota's C# emitter. It occurs when OpenAPI description fields (like externalDocs.description) contain newline or Unicode line-terminator characters. These characters are not stripped before being written into single-line XML documentation comments (///). This allows attackers to break out of the comment boundary and inject arbitrary C# code into generated client files. The injected code executes when the generated client is built or run.

Detection Guidance

To detect this vulnerability, check if your Kiota version is below 1.32.3 by running: kiota --version. Inspect generated C# files for malicious code in XML doc comments (///). Look for unexpected line breaks or code outside comment blocks in files generated from OpenAPI specs.

Impact Analysis

If you use Kiota to generate C# clients from untrusted OpenAPI descriptions, this vulnerability could allow attackers to inject malicious code into your generated source files. This code would execute when you or your CI pipeline builds or runs the client. It could lead to arbitrary code execution, data breaches, or compromise of your development environment. The impact depends on the privileges of the generated client and the actions it performs.

Compliance Impact

This vulnerability could lead to unauthorized code execution, potentially causing data breaches or unauthorized access to sensitive information. If exploited, it may violate GDPR's data protection requirements or HIPAA's security rules for protected health information. Organizations using Kiota to generate clients for regulated systems must ensure they only use trusted OpenAPI descriptions and upgrade to version 1.32.3 or later to maintain compliance.

Mitigation Strategies

Upgrade Kiota to version 1.32.3 or later. Regenerate all C# clients from OpenAPI specs to replace vulnerable code. Ensure OpenAPI descriptions come from trusted sources only. Review generated files for signs of prior exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59860. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart