CVE-2026-59864
Received Received - Intake

Path Traversal in Kiota Code Generator

Vulnerability report for CVE-2026-59864, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota plugin add` and `kiota plugin generate` (with `-t APIPlugin`) emitted attacker-controlled static_template.file values from x-ai-adaptive-card and x-ai-capabilities into generated Microsoft 365 Copilot and Teams plugin manifests without path validation, allowing ../, absolute, rooted, UNC, Windows drive, or URI paths in response_semantics.static_template.file to cause path traversal or out-of-package file inclusion when the generated plugin was deployed. This issue is fixed in version 1.32.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kiota kiota 1.32.5
microsoft kiota 1.32.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Kiota versions before 1.32.5 allows attackers to inject malicious file paths into generated Microsoft 365 Copilot or Teams plugin manifests via x-ai-adaptive-card and x-ai-capabilities extensions. The static_template.file field in plugin manifests could be manipulated to include path traversal sequences, absolute paths, or URIs, leading to out-of-package file inclusion when the plugin is deployed.

Detection Guidance

To detect this vulnerability, check for generated plugin manifests (e.g., <name>-apiplugin.json) created by Kiota versions prior to 1.32.5. Inspect the static_template.file field in x-ai-adaptive-card or x-ai-capabilities extensions for unsafe paths like absolute paths, UNC paths, Windows drive paths, or parent directory traversals (e.g., ../../). Use commands like grep to search for these patterns in your plugin directories.

Impact Analysis

An attacker could access unauthorized files outside the plugin package by exploiting path traversal or including external resources. This could lead to data leaks, unauthorized file access, or compromise of the plugin's integrity. The vulnerability has a CVSS score of 9.3, indicating critical severity with high impacts on confidentiality, integrity, and availability.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating compliance requirements such as GDPR (data protection) and HIPAA (health information privacy). Unauthorized file access may result in data breaches, triggering regulatory penalties and legal consequences.

Mitigation Strategies
  • Upgrade Kiota to version 1.32.5 or later to apply the path validation fix.
  • Regenerate all affected plugin manifests using the updated Kiota version to ensure unsafe paths are removed.
  • Review existing plugin manifests for any suspicious static_template.file references and remove or sanitize them.
  • Monitor plugin deployments to ensure no unauthorized file access or path traversal occurs during execution.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59864. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart