CVE-2026-59862
Received Received - Intake

Kiota Python Generator Code Injection via Enum Descriptions

Vulnerability report for CVE-2026-59862, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Python generator let attacker-controlled enum value descriptions from x-ms-enum.values[].description flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and PythonConventionService.RemoveInvalidDescriptionCharacters without newline sanitization, allowing generated inline comments to split and execute attacker-controlled Python code at module scope when generated modules were imported. This issue is fixed in version 1.32.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
kiota kiota 1.32.0
microsoft kiota to 1.32.0 (exc)
microsoft kiota_builder to 1.32.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59862 is a code generation vulnerability in Kiota's Python generator. It allows attackers to inject malicious code into generated Python files by exploiting unsanitized enum value descriptions from OpenAPI specifications. When the generated code is imported, the injected code executes at module scope, enabling arbitrary actions.

Detection Guidance

Detecting this vulnerability requires checking for outdated Kiota Python generator versions. Run pip show Microsoft.OpenApi.Kiota or pip show Microsoft.OpenApi.Kiota.Builder to verify versions. If versions are below 1.32.0, the system is vulnerable. Also inspect generated Python files for suspicious inline comments or module-level code that may indicate exploitation.

Impact Analysis

This vulnerability can lead to credential theft, exposure of environment variables and secrets, source code disclosure, and persistence via backdoored client output. Exploitation requires generating a client from a malicious OpenAPI spec and importing the generated code, which is common in development and CI workflows.

Compliance Impact

This vulnerability could lead to unauthorized code execution when generating Python clients from untrusted OpenAPI specifications. This may result in credential theft, environment variable exposure, or source code disclosure, which could violate GDPR (data protection) or HIPAA (health data privacy) requirements depending on the context of use.

Mitigation Strategies

Upgrade to Kiota version 1.32.0 or later using pip install --upgrade Microsoft.OpenApi.Kiota. Regenerate all Python clients from OpenAPI specifications. Avoid generating clients from untrusted sources and disable automatic generation from remote specs. Validate x-ms-enum descriptions before processing.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59862. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart