CVE-2026-59865
Received Received - Intake

Command Injection in Kiota OpenAPI Client Generator

Vulnerability report for CVE-2026-59865, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota info` read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command, allowing an attacker-controlled or compromised description to cause command injection when the suggested command was run manually or through the Kiota VS Code extension's kiota info --json dependency-install flow. This issue is fixed in version 1.32.5.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
kiota kiota 1.32.5
microsoft kiota 1.32.5
microsoft openapi.kiota to 1.32.5 (exc)
microsoft openapi.kiota.builder to 1.32.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59865 is a command injection vulnerability in Microsoft Kiota. It occurs when the `kiota info` command reads an attacker-controlled OpenAPI description file. The file contains a malicious `x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand` field that Kiota displays as a recommended installation command. When executed, this command runs arbitrary shell commands on the developer's system or CI host.

Detection Guidance

Check installed Kiota versions with 'kiota --version' or 'dotnet list package'. Inspect OpenAPI files for x-ms-kiota-info.languagesInformation fields. Review executed commands in CI logs for unexpected shell commands.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands on your system if you run the malicious install command suggested by Kiota. This could lead to remote code execution, data theft, or system compromise. It affects developers using Kiota versions prior to 1.32.5 and the Kiota VS Code extension when processing untrusted OpenAPI files.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection requirements and HIPAA's safeguards for protected health information. A successful exploit may result in data breaches, triggering compliance violations and potential regulatory penalties.

Mitigation Strategies

Upgrade Kiota to version 1.32.5 or later. Update the Kiota VS Code extension to a compatible version. Remove any x-ms-kiota-info.languagesInformation fields from OpenAPI files. Avoid running suggested install commands from untrusted sources.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59865. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart