CVE-2026-59861 in Kiotainfo

Summary

by MITRE • 07/16/2026

Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral() in Writers/StringExtensions.cs into Ruby double-quoted literals without escaping #, allowing attacker-controlled #{expr}, #$var, or #@var interpolation markers to inject arbitrary Ruby code into generated model classes. This issue is fixed in version 1.32.0.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability in Kiota's Ruby generator represents a critical code injection flaw that stems from inadequate input sanitization during the OpenAPI schema processing phase. This issue affects versions prior to 1.32.0 where the code generation process fails to properly escape special characters in schema-derived strings before embedding them into Ruby double-quoted literals. The root cause lies in the CodeMethodWriter.cs component and the SanitizeForQuotedLiteral() method within Writers/StringExtensions.cs, which do not adequately handle the hash character that serves as Ruby's interpolation operator.

The technical exploitation occurs when attacker-controlled OpenAPI schema data contains strings with unescaped hash characters that get embedded directly into generated Ruby code. When these strings are placed within double-quoted literals, Ruby interprets #{expr}, #$var, or #@var sequences as interpolation markers rather than literal text, enabling arbitrary code execution within the generated model classes. This creates a direct path for remote code execution through maliciously crafted OpenAPI specifications that can be processed by vulnerable versions of Kiota.

The operational impact of this vulnerability extends beyond simple code injection, as it allows attackers to compromise the entire code generation pipeline and potentially execute arbitrary Ruby code on systems where Kiota is used. The flaw affects any organization relying on Kiota for automated client code generation from OpenAPI specifications, particularly those that consume third-party or untrusted API definitions. This vulnerability aligns with CWE-94, which describes improper control of generation of code, and maps to ATT&CK technique T1059.007 for Ruby command execution.

Organizations should immediately upgrade to Kiota version 1.32.0 or later to remediate this vulnerability, as the fix properly implements escaping mechanisms for hash characters in schema-derived strings before embedding them into generated Ruby code. Additional mitigations include validating and sanitizing all input OpenAPI specifications before processing, implementing strict access controls on code generation systems, and monitoring for suspicious patterns in generated code that might indicate exploitation attempts. Security teams should also consider implementing runtime protections such as Ruby's safe mode or application sandboxing to limit potential impact if exploitation occurs despite preventive measures.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Want to know what is going to be exploited?

We predict KEV entries!