Back to CVE List

CVE-2026-59866

Vulnerability Description

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota emitted x-ms-kiota-info clientClassName and clientNamespaceName values without identifier or path sanitization as both generated client class or namespace names and generated output path components when `kiota generate` ran without -c/--class-name, allowing an attacker-controlled or compromised OpenAPI description to write generated source outside the -o output directory and inject arbitrary text into generated class or namespace declarations. This issue is fixed in version 1.32.5 by GenerationConfiguration.SanitizeClientClassName and SanitizeClientNamespaceName.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-22
Source
NVD
Vendor
microsoft
Product
kiota

External References

Discussion (0)

Add Comment

No comments yet. Be the first!