CVE-2026-59867
Kiota: Generation-time SSRF + remote/local file inclusion via unrestricted $ref
CVSS Score
7.1
EPSS Score
0.0%
EPSS Percentile
0th
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote http(s) URLs and reading local absolute or out-of-tree file paths, allowing `kiota generate` on an attacker-controlled or attacker-influenced description to perform build-time SSRF, remote file inclusion, and local file inclusion by inlining external schemas such as REMOTE_KIOTA_PROP or Leaked into generated clients. This issue is fixed in version 1.32.5 by AllowedExternalOriginsStreamLoader and the --allowed-external-origins option.
| CWE | CWE-22 CWE-829 CWE-918 |
| Vendor | microsoft |
| Product | kiota |
| Ecosystems | |
| Industries | TechnologyEnterprise |
| Published | Jul 16, 2026 |
| Last Updated | Jul 16, 2026 |
Stay Ahead of the Next One
Get instant alerts for microsoft kiota
Be the first to know when new high vulnerabilities affecting microsoft kiota are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
microsoft / kiota
< 1.32.5
References
github.com: https://github.com/microsoft/kiota/security/advisories/GHSA-rg4h-fpcp-2qm8 github.com: https://github.com/microsoft/kiota/pull/7888 github.com: https://github.com/microsoft/kiota/commit/cccd798027f0a20db796b3df6c64f9897a39d7b1 github.com: https://github.com/microsoft/kiota/releases/tag/v1.32.5