๐Ÿ” CVE Alert

CVE-2026-59866

UNKNOWN 0.0

Kiota: Arbitrary file write + code-injection via x-ms-kiota-info clientClassName and clientNamespaceName

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class or namespace names and generated output path components when `kiota generate` ran without -c/--class-name, allowing an attacker-controlled or compromised OpenAPI description to write generated source outside the -o output directory and inject arbitrary text into generated class or namespace declarations. This issue is fixed in version 1.32.5 by GenerationConfiguration.SanitizeClientClassName and SanitizeClientNamespaceName.

CWE CWE-22 CWE-94
Vendor microsoft
Product kiota
Ecosystems
Industries
TechnologyEnterprise
Published Jul 16, 2026
Stay Ahead of the Next One

Get instant alerts for microsoft kiota

Be the first to know when new unknown vulnerabilities affecting microsoft kiota are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

microsoft / kiota
< 1.32.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-4vv7-jj25-4gh6 github.com: https://github.com/microsoft/kiota/pull/7884 github.com: https://github.com/microsoft/kiota/commit/dc812dbbf88ef7edf53a890d36b2f9d1460e947d github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.5