CVE-2026-59866
Received Received - Intake

Path Traversal in Kiota OpenAPI Client Generator

Vulnerability report for CVE-2026-59866, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class or namespace names and generated output path components when `kiota generate` ran without -c/--class-name, allowing an attacker-controlled or compromised OpenAPI description to write generated source outside the -o output directory and inject arbitrary text into generated class or namespace declarations. This issue is fixed in version 1.32.5 by GenerationConfiguration.SanitizeClientClassName and SanitizeClientNamespaceName.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
kiota kiota 1.32.5
microsoft kiota 1.32.5

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59866 is a code injection vulnerability in Kiota, an OpenAPI-based HTTP Client code generator. It occurs when Kiota emits unsanitized client class and namespace names from attacker-controlled OpenAPI descriptions. This allows writing files outside the intended output directory or injecting malicious text into generated code. The issue was fixed in version 1.32.5 by adding sanitization methods to validate and clean these names.

Detection Guidance

Check Kiota version with 'kiota --version'. If it is below 1.32.5, the system is vulnerable. Inspect generated client code for unexpected class or namespace names containing special characters or paths outside the intended output directory.

Impact Analysis

This vulnerability could allow an attacker to write files outside the intended output directory or inject malicious code into generated client classes or namespaces. This may lead to file corruption, build disruptions, or unintended code execution during compilation. Remote code execution is prevented due to compilation failures from injected code.

Mitigation Strategies

Upgrade Kiota to version 1.32.5 or later using your package manager. Regenerate all affected clients with the updated version to ensure sanitization of class and namespace names.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59866. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart