CVE-2026-59865
Kiota: Command injection via x-ms-kiota-info dependencyInstallCommand surfaced by `kiota info`
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, `kiota info` read x-ms-kiota-info.languagesInformation.<language>.dependencyInstallCommand plus dependency name and version values from an OpenAPI description and presented the spec-supplied command as Kiota's recommended install command, allowing an attacker-controlled or compromised description to cause command injection when the suggested command was run manually or through the Kiota VS Code extension's kiota info --json dependency-install flow. This issue is fixed in version 1.32.5.
| CWE | CWE-94 CWE-829 |
| Vendor | microsoft |
| Product | kiota |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for microsoft kiota
Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
microsoft / kiota
< 1.32.5
References
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-hq9q-27g5-qwpj github.com: https://github.com/microsoft/kiota/pull/7883 github.com: https://github.com/microsoft/kiota/commit/e1d6d76c6eecbe50785429166faaf8c831e036c6 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.5