๐Ÿ” CVE Alert

CVE-2026-59863

UNKNOWN 0.0

Kiota: Workspace-config poisoning: out-of-repo file write + generation-time SSRF

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota honored a poisoned .kiota/workspace.json workspace configuration without validating per-client or per-plugin outputPath values during kiota client generate and kiota plugin generate, allowing a malicious repository or pull request to use absolute paths, rooted POSIX / paths, UNC \\ or // paths, Windows drive X:\ paths, or .. traversal segments to write generated client files outside the workspace root on a developer or CI host. This issue is fixed in version 1.32.5.

CWE CWE-22
Vendor microsoft
Product kiota
Ecosystems
Industries
TechnologyEnterprise
Published Jul 16, 2026
Last Updated Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for microsoft kiota

Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

microsoft / kiota
< 1.32.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-4rj6-vrwv-wr8m github.com: https://github.com/microsoft/kiota/pull/7885 github.com: https://github.com/microsoft/kiota/commit/4049327872db7846ace35c9003774d3e3878e4e9 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.5