CVE-2026-59861
Received Received - Intake

Code Injection in Kiota Ruby Generator via Unescaped Interpolation

Vulnerability report for CVE-2026-59861, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral() in Writers/StringExtensions.cs into Ruby double-quoted literals without escaping #, allowing attacker-controlled #{expr}, #$var, or #@var interpolation markers to inject arbitrary Ruby code into generated model classes. This issue is fixed in version 1.32.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
kiota kiota 1.32.0
microsoft kiota to 1.32.0 (exc)
microsoft openapi.kiota to 1.32.0 (exc)
microsoft openapi.kiota.builder to 1.32.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a Ruby code injection flaw in the Kiota OpenAPI HTTP Client code generator. It occurs because Kiota embeds OpenAPI schema strings like default fields and property names into Ruby double-quoted string literals without escaping the # character. Ruby evaluates #{} expressions in such strings, allowing attackers who control an OpenAPI file to inject malicious Ruby code into generated model classes.

Detection Guidance

To detect this vulnerability, check the version of Kiota installed on your system. If you are using a version prior to 1.32.0, your system may be vulnerable. Run 'kiota --version' to verify. Additionally, inspect generated Ruby client code for unescaped '#' characters in string literals, particularly in files generated from external OpenAPI specifications.

Impact Analysis

If you use Kiota to generate Ruby API clients from untrusted OpenAPI specs, attackers could inject code that executes when the generated client runs. This could lead to arbitrary code execution, data breaches, or service disruption. The impact varies: critical if code reaches production, high in CI/CD environments with production secrets, medium for public third-party specs, and low for developer-controlled specs.

Compliance Impact

This vulnerability could lead to unauthorized code execution, potentially violating data protection requirements under GDPR (e.g., unauthorized data access) or HIPAA (e.g., exposure of protected health information). Compliance may be impacted if generated clients process sensitive data without proper safeguards.

Mitigation Strategies

Upgrade Kiota to version 1.32.0 or later immediately. Regenerate all Ruby client code using the updated version. Audit OpenAPI specifications for malicious '#' characters before generation. Implement code reviews for generated Ruby files and restrict OpenAPI specification sources to trusted internal ones.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart